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Abstract. We present the topos S of trees as a model of guarded recursion. We study 
the internal dependently-typed higher-order logic of S and show that S models two modal 
operators, on predicates and types, which serve as guards in recursive definitions of terms, 
predicates, and types. In particular, we show how to solve recursive type equations involv- 
ing dependent types. We propose that the internal logic of S provides the right setting 
for the synthetic construction of abstract versions of step-indexed models of programming 
languages and program logics. As an example, we show how to construct a model of a pro- 
gramming language with higher-order store and recursive types entirely inside the internal 
logic of S. Moreover, we give an axiomatic categorical treatment of models of synthetic 
guarded domain theory and prove that, for any complete Heyting algebra A with a well- 
founded basis, the topos of sheaves over A forms a model of synthetic guarded domain 
theory, generalizing the results for S. 



1. Introduction 

Recursive definitions are ubiquitous in computer science. In particular, in semantics of 
programming languages and program logics we often use recursively defined functions and 
relations, and also recursively defined types (domains). For example, in recent years there 
has been extensive work on giving semantics of type systems for programming languages 
with dynamically allocated higher-order store, such as general ML-like references. Models 
have been expressed as Kripke models over a recursively defined set of worlds (an example 
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of a recursively defined domain) and have involved recursively defined relations to interpret 
the recursive types of the programming language; see 0] and the references therein. 

In this paper we study a topos 5, which we show models guarded recursion in the sense 
that it allows for guarded recursive definitions of both recursive functions and relations as 
well as recursive types. The topos S is known as the topos of trees (or forests); what is new 
here is our application of this topos to model guarded recursion. 

The internal logic of S is a standard many-sorted higher-order logic extended with 
modal operators on both types and terms. (Recall that terms in higher-order logic include 
both functions and relations, as the latter are simply Prop-valued functions.) This internal 
logic can then be used as a language to describe semantic models of programming languages 
with the features mentioned above. As an example which uses both recursively defined types 
and recursively defined relations in the S- logic, we present a model of F M re f , a call- by- value 
programming language with impredicative polymorphism, recursive types, and general ML- 
like references. 

To situate our work in relation to earlier work, we now give a quick overview of the 
technical development of the present paper followed by a comparison to related work. We 
end the introduction with a summary of our contributions. 

1.1. Overview of technical development. The topos iS is the category of presheaves on 
uj, the first infinite ordinal. This topos is known as the topos of trees, and is one of the 
most basic examples of presheaf categories. 

There are several ways to think intuitively about this topos. Let us recall one intuitive 
description, which can serve to understand why it models guarded recursion. An object A 
of S is a contravariant functor from oj (viewed as a preorder) to Set. We think of A as a 
variable set, i.e., a family of sets X(n), indexed over natural numbers n, and with restriction 
maps X[n + 1) — > X[n). Morphisms / : X — > Y are natural transformations from X to 
Y. The variable sets include the ordinary sets as so-called constant sets: for an ordinary 
set S, there is an object A(S) in S with A(5)(n) = S for all n. Since S is a category of 
presheaves, it is a topos, in particular it is cartesian closed category and has a subobject 
classifier f2 (a type of propositions). The internal logic of S is an extension of standard 
Kripke semantics: for constant sets, the truth value of a predicate is just the set of worlds 
(downwards closed subsets of u) for which the predicate holds. This observation suggests 
that there is a modal "later" operator > on predicates f^ 5 ) on constant sets, similar to 
what has been studied earlier p|, EH. Intuitively, for a predicate if : Sl^ 5 ) on constant set 
A(S'), >(<p) contains n + 1 if ip contains n. (A future world is a smaller number, hence the 
name "later" for this operator.) A recursively specified predicate /ir.c^(r) is well-defined if 
every occurrence of the recursion variable r in ip is guarded by a > modality: by definition 
of >, to know whether n + 1 is in the predicate it suffices to know whether n is in the 
predicate. There is also an associated Lob rule for induction, (>tp — > <-p) — > 92, as in 0]. 

Here we show that in fact there is a later operator not only on predicates on constant 
sets, but also on predicates on general variable sets, with associated Lob rule, and well- 
defined guarded recursive definitions of predicates. 

Moreover, there is also a later operator ► (a functor) on the variable sets themselves: 
► (A) is given by ►(A)(1) = {*} and ► (A)(n + 1) = A(n). We can show the well- 
definedness of recursive variable sets fj,X.F(X) in which the recursion variable X is guarded 
by this operator ►. Intuitively, such a recursively specified variable set is well-defined since 
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by definition of ►, to know what fj,X.F(X) is at level n + 1 it suffices to know what it is at 
level n. 

In the technical sections of the paper, we make the above precise. In particular, we detail 
the internal logic and the use of later on functions / predicates and on types. We explain 
how one can solve mixed-variance recursive type equations, for a wide collection of types. 
We show how to use the internal logic of S to give a model of Fu jre f . The model, including 
the operational semantics of the programming language, is defined completely inside the 
internal logic; we discuss the connection between the resulting model and earlier models by 
relating internal definitions in the internal logic to standard (external) definitions. Since S 
is a topos, S also models dependent types. We give technical semantic results as needed for 
using later on dependent types and for recursive type-equations involving dependent types. 
We think of this as a first step towards a formalized dependent type theory with a later 
operator; here we focus on the foundational semantic issues. 

To explain the relationship to some of the related work, we point out that S is equivalent 
to the category of sheaves on cJ, where uJ is the complete Heyting algebra of natural numbers 
with the usual ordering and extended with a top element oo. Moreover, this sheaf category, 
and hence also S, is equivalent to the topos obtained by the tripos-to-topos construction [2l|] 
applied to the tripos Set(_, TU). The logic of constant sets in S is exactly the logic of this 
tripos^ 

In the first part of this paper we work with the presentation of S as presheaves since 
it is the most concrete, but in fact many of our results generalize to sheaf categories over 
other complete well-founded Heyting algebras. Indeed, we include a more general axiomatic 
treatment of models of synthetic guarded domain theory and prove that, for any complete 
Heyting algebra with a well-founded basis, the topos of sheaves over the Heyting algebra 
yields a model of synthetic guarded domain theory. We present this generalization after the 
more concrete treatment of S, since the concrete treatment of S is perhaps more accessible. 



1.2. Related work. Nakano presented a simple type theory with guarded recursive types 
[3o| | which can be modelled using complete bounded ultrametric spaces 0j. We show in 
Section [5] that the category BiCBUlt of bisected, complete bounded ultrametric spaces is a 
co-reflective subcategory of S. Thus, our present work can be seen as an extension of the 
work of Nakano to include the full internal langua ge o f a topos, in particular dependent 
types, and an associated higher-order logic. Pottier [32j presents an extension of System F 
with recursive kinds based on Nakano's calculus; hence S also models the kind language of 
his system. 

Di Gianantonio and Miculan fiol ] studied guarded recursive definitions of functions in 
certain sheaf toposes over well-founded complete Heyting algebras, thus including <S. Our 
work extends the work of Di Gianantonio and Miculan by also including guarded recursive 
definitions of types, by emphasizing the use of the internal logic (this was suggested as future 
work in [lcij]). and by including an extensive example application. Moreover, our general 
treatment of sheaf models includes sheaves over any well-founded complete Heyting algebra, 
whereas Di Gianantonio and Miculan restrict attention to those Heyting algebras that arise 
as the opens of a topological space. 

1 Recall that the tripos Set(_, ZJ) is a model of logic in which types and terms are interpreted as sets and 
functions, and predicates are interpreted as uj- valued functions. 
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Earlier work has advocated the use of complete bounded ultrametric spaces for solving 
recursive type and relation equations that come up when modelling programming languages 
with higher-order store @, 0|. As mentioned above, BiCBUlt is a subcategory of S, and 
thence our present work can be seen as an improvement of this earlier work: it is an 
improvement since S supports full higher-order logic. In the earlier work, one had to show 
that the functions defined in the interpretation of the programming language types were 
non-expansive. Here we take the synthetic approach (cf. [20|]) and place ourselves in the 
internal logic of the topos when defining the interpretation of the programming language, 
see Section [3l This means that there is no need to prove properties like non-expansiveness 
since, intuitively, all functions in the topos are suitably non-expansive. 

Dreyer et al. [ll[ proposed a logic, called LSLR, for defining step-indexed interpretations 
of programming languages with recursive types, building on earlier work by Appel et al. 0] 
who proposed the use of a later modality on predicates. The point of LSLR is that it 
provides for more abstract ways of constructing and reasoning with step-indexed models, 
thus avoiding tedious calculations with step indices. The core logic of LSLR is the logic 
of the tripos Set(_, U) mentioned above Jl which allows for recursively defined predicates 
following [3], but not recursively defined types. One point of passing from this tripos to the 
topos S is that it gives us a wider collection of types (variable sets rather than only constant 
sets), which makes it possible also to have mixed- variance recursively defined typesH 

Dreyer et al. developed an extension of LSLR called LADR for reasoning about step- 
indexed models of the programming language F„ jre f with higher-order store |l3j ] . LADR is a 
specialized logic where much of the world structure used for reasoning efficiently about local 
state is hidden by the model of the logic; here we are proposing a general logic that can be 
used to construct many step-indexed models, including the one used to model LADR. In 
particular, in our example application in Section O we define a set of worlds inside the <S 
logic, using recursively defined types. 

As part of our analysis of recursive dependent types, we define a class of types, called 
functorial types. We show that functorial types are closed under nested recursive types, a 
result which is akin to results on nested inductive types P, [uj ■ The difference is that we 
allow for general mixed-variance recursive types, but on the other hand we require that all 
occurrences of recursion variables must be guarded. 



1.3. Summary of contributions. We show how the topos S, and, more generally, any 
topos of sheaves over a complete Heyting algebra with a well-founded basis, provides a 
simple but powerful model of guarded recursion, allowing for guarded recursive definitions 
of both terms and types in the internal dependently-typed higher-order logic. In particular, 
we 

• show that the two later modalities are well-behaved on slices; 

• give existence theorems for fixed points of guarded recursive terms and guarded nested 
dependent mixed-variance recursive types; 

• detail the relation of S to the category of complete bounded ultrametric spaces; 

2 Dreyer et al. [ll| presented the semantics of their second-order logic in more concrete terms, avoiding 
the use of triposes, but it is indeed a fragment of the internal logic of the mentioned tripos. 

^The terminology can be slightly confusing: in 3] , our notion of recursive relations were called recursive 
types, probably because the authors of loc.cit. used such to interpret recursive types of a programming 
language. Recursive types in our sense were not considered in 0]. 
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• present, as an example application, a synthetic model of re f constructed internally in 
S; 

• give an axiomatic treatment of a general class of models of guarded recursion. 

Our general existence theorems for recursive types in Section [8] are phrased in terms of 
Sh( A)-categories, i.e., categories enriched in sheaves over a complete Heyting algebra A 
with a well-founded basis, and generalize earlier work on recursive types for categories 
enriched in complete bounded ultrametric spaces 



2. The S Topos 

The category S is that of presheaves on u, the preorder of natural numbers starting from 1 
and ordered by inclusion. Explicitly, the objects of S = Set w P are families of sets indexed 
by natural numbers together with restriction maps r n : X(n + 1) — > X(n). Morphisms are 
families (f n )n of maps commuting with the restriction maps as indicated in the diagram 

X(l)^X(2)^X(3)^... 



h 




h 




h 




Y 









If x E X(m) and n < m we write x\ n for r n o ■ ■ ■ o r m _i(x). 

As all presheaf categories, S is a topos, in particular it is cartesian closed and has a 
subobject classifier. Moreover, it is complete and cocomplete, and limits and colimits are 
computed pointwise. The n'th component of the exponential Y (n) is the set of tuples 
(/i, . . . , f n ) commuting with the restriction maps, and the restriction maps of Y x are given 
by projection. We sometimes use the notation X — > Y for Y . 

A subobject A of X is a family of subsets A{n) C X{n) such that r n {A(n + 1)) C A(n). 
The subobject classifier has f2(n) = {0, . . . , n} and restriction maps r n (x) — min(?2, x). 
The characteristic morphism xa- X —■ £1 maps x € X(n) to the maximal m such that 
x\ m € A(m) if such an m exists and otherwise. 

The natural numbers object N in S is the constant set of natural numbers. 

Intuitively, we can think of the set X(n) as what the type X looks like, if one has at 
most n time steps to reason about it. The restriction maps r n : X{n + 1) — > X(n) describe 
what happens to the data when one time step passes. This intuition is illustrated by the 
following example. 

Example 2.1. We can define the object Str £ S of (variable) streams of natural numbers 
as follows: 

N 1 A^ 2 N 3 + . . . 

where the restriction maps r m : N m+1 — > N m map {n\, . . . , n m , n m+ i) to {n%, . . . , n m ). 
Intuitively, this is the type of streams where the head is immediately available, but the tail 
is only available after one time step. If we have n time steps to reason about this type we 
can access the n first elements, hence Str(n) = N n . 

The successor function succ on streams, which adds one to every element in a stream, 
can be defined in the model by 

succ m : N m -> N m = (m,...,n m ) H> {n x + 1, . . . , n m + 1). 
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Clearly succ is a natural transformation from Str to Str; hence it is a well-defined map 
in S. Observe that succ m can also be defined by induction as succ\(n) = n + 1 and 
succ m+ i(ni,n 2 , . . . ,n m+ i) = (ni + 1, succ m (n 2 , . . . ,n m+ i)). 

The subobject A C Str of increasing streams can be defined by letting A m C N m be 
the set of tuples (m, . . . ,n m ) that are increasing (i.e., rii > rij, for i > j). Note that A is 
trivially closed under the restriction maps, and thus it is a well-defined subobject of Str. 



2.1. The ► endofunctor. Define the functor ► : <S — > S by ► X(l) = {*} and ► X(n + 

1) = X(n). This functor, called Zaier, has a left adjoint (so ► preserves all limits) given by 
<X(n) = X(n + 1). Since limits are computed pointwise, < preserves them, and so the 
adjunction M H ► defines a geometric morphism, in fact an embedding. However, we shall 
not make use of this fact in the present paper (because is not a fibred endo-functor on 
the codomain fibration, hence is not a useful operator in the dependent type theory; see 
Section ij). 

There is a natural transformation nextx : X — > ► X whose 1st component is the unique 
map into {*} and whose (n + l)th component is r n . Although next looks like a unit ► is 
not a monad: there are no natural transformations ►►—)•►. 

Since ► preserves finite limits, there is always a morphism 

J : ►(X -> Y) -> (►X -»• ► Y). (2.1) 



2.2. An operator on predicates. There is a morphism > : O — > O mapping n E Jl(m) to 
min(m, n + 1). By setting x>A = > °XA there is an induced operation on subobjects, again 
denoted [>. This operation, which we also call "later", is connected to the ► functor, since 
there is a pullback diagram 

D> m >- ► A 



J 



X 



nextx 



► m 



► X 



for any subobject m: A — > X. 



2.3. Recursive morphisms. We introduce a notion of contractive morphism and show 
that these have unique fixed points. 

Definition 2.2. A morphism / : X — > Y is contractive if there exists a morphism g : ► X — > 
Y such that f = g o nextx . A morphism / : X x Y — > Z is contractive in the first variable 
if there exists g such that / = g o (nextx x idy). 

For instance, contractiveness of > on is witnessed by succ: ► SI — > Q with succ n (/c) = 
fc + 1. 

Lemma 2.3. 

(1) If f : X — > Y and g:Y^Z and either f or g are contractive also gf is contractive. 

(2) If f: X Y and g: X' — »• Y 7 are contractive, so is f x g: X x X' — >■ F x F' . 

(3) ^4 morphism h: X x Y — > Z is contractive in the first variable iff h: X — > Z Y is 
contractive. 
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If /: X — > Y is contractive as witnessed by g, the value of f n +i(x) can be computed from 
r n (x) and moreover, f\ must be constant. If X = Y we can define a fixed point x: 1 — > X by 
defining xi = <7i(*) and x n+ \ = g n+ \{x n ). This construction can be generalized to include 
fixed points of morphisms with parameters as follows. 

Theorem 2.4. There exists a natural family of morphisms fixx : (►X — > X) — > X , indexed 
by the collection of all objects X , which computes unique fixed points in the sense that if 
f : XxY — > X is contractive in the first variable as witnessed by g, i.e., f = go (next x xidy), 
then fixx°5 is the unique h: Y — > X such that fo(h, idy) = h (here g denotes the exponential 
transpose of g). 

2.4. Internal logic. We start by calling to mind parts of the Kripke-Joyal forcing semantics 
for S. For X%, . . . ,X m in 5, ip : X\ x • • • x X m — > f2, n G W, and a\ G Xi(n), . . . , a m G 
X m (n), we define n \= 99(01, . . . ,a m ) iff (p n (oci, ■ ■ ■ ,a m ) = n. 

The standard clauses for the forcing relation are as follows [26|, Example 9.5] (we write 
a for a sequence a.\, . . . , a m ): 

n^(s = t)a^ [sJn(S) = [i]„(a) 

n \=R(h,...,t k )a& [R]n{lti} n (a),...,[t k ] n (ja)) =n 

n (= (93 A V ; )(«) ^ n |= y(^) A n \= Tp(a) 

n \= (<p V ^)(o) ^> n (= V n |= ^(a) 

n |= (if — > Tp)(a) ^\/k < n.k \= <p(a\k) — > k \= if)(a\k) 

n \= (3x:X.<p) (a) -£4> 3a G [X] (n) . n \= ip(a, a) 

n \= (Vx:X.ip)(a) VA; < n, a G k (= p(a| fc) a) 

Proposition 2.5. [> is i/ie unique morphism on Q satisfying 1 ^= l> ip{a) and n + 1 \= 
t> ip{a) 4=> n \= ip{a\ n ). Moreover, Vx,y: X. \>{x = y) -B- nextx(aO = nextx(y) ZioWs m 5. 

The following definition will be useful for presenting facts about the internal logic of S. 

Definition 2.6. An object X in S is total if all the restriction maps r n are surjective. 

Hence all constant objects A(S') are total, but the total objects also include many non- 
constant objects, e.g., the subobject classifier. The above definition is phrased in terms of 
the model; the internal logic can be used to give a simple characterization of when X is 
total and inhabited by a global element : that is the case iff nextx is internally surjective 
in S, i.e., iff Vy : >■ X.3x : X.nextx(%) = y holds in S. The following proposition can be 
proved using the forcing semantics; note that the distribution rules below for [> generalize 
the ones for constant sets described in [lit] (since constant sets are total). 

Theorem 2.7. In the internal logic of S we have: 

(1) (Monotonicity) . \/p : Sl.p — > \>p. 

(2) (Lob rule). Vp : S7. (\>p — > p) — > p. 

(3) t> commutes with the logical connectives T, A ; — >, V, but does not preserve _L. 

(4) For all X, Y, and if, we have 3y : Y.> ip(x,y) — > \>(3y : Y.ip(x,y)). The implication 
in the opposite direction holds ifY is total and inhabited. 



X is inhabited by a global element if there exists a morphism x : 1 — > X 
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(5) For all X, Y, and <p, we have >(Vy : Y. ip(x,y)) — > Vy : Y. \>ip>(x,y). The implication 
in the opposite direction holds ifY is total. 

We now define an internal notion of contractiveness in the logic of S which implies (in the 
logic) the existence of a unique fixed point for inhabited types. 

Definition 2.8. The predicate Contr on Y x is defined in the internal logic by 

Contr(/) 44 Vx,x' : X. >(x = x') -> f(x) = f(x'). 

For a morphism / : X — > Y, corresponding to a global element of Y , we have that if 
/ is contractive (in the external sense of Definition I2.2p . then Contr (/) holds in the logic of 
S. The converse is true if X is total and inhabited, but not in general. We use both notions 
of contractiveness: the external notion provides for a simple algebraic theory of fixed points 
for not only morphisms but also functors (see Section I2.6H , whereas the internal notion is 
useful when working in the internal logic. 

The internal notion of contractiveness generalizes the usual metric notion of contrac- 
tiveness for functions between complete bounded ultrametric spaces; see Sectional 

Theorem 2.9 (Internal Banach Fixed-Point Theorem). The following holds in S: 

(3x : XT) A Contr(/) -> 3lx : X. f(x) = x. 

The above theorem (the Internal Banach Fixed- Point Theorem) is proved in the internal 
logic using the following lemma, which expresses a non-classical property. The lemma can 
be proved in the internal logic using the Lob rule (and using that N is a total object) - 
below we give a semantic proof using the Kripke-Joyal semantics. 

Lemma 2.10. The following holds in S: 

Contr(/) ->■ 3n : N.\/x,x' : X. f n (x) = f n {x'). 

Proof. We must show that any m forces the predicate. Unfolding the definition of the 
forcing relation, we see that it suffices to show that for all m and all / 6 X x (m) there 
exists an n such that 

m H Contr(/) -> m \= Vx, x' : X. f n {x) = f n (x') 

The element / is a family (/j : X(i) — > X(i))i< m and the condition m \= Contr(/) implies 
that f\{x) = fl(y) for alii < m and all x, y € X[i). In particular /J" is constant. Therefore 
choosing n = m makes m \= \/x, x' : X. f n (x) = f n {x') true. □ 

2.5. Recursive relations. As an example application of Theorem 12.91 we consider the 
definition of recursive predicates. Let <p{r) : Q, x be a predicate on X in the internal logic of 
<S as presented above (over non-dependent types, but possibly using >) with free variable 
r, also of type Q . Note that Q x is inhabited by a global element. If r only occurs 
under a > in ip, then (p defines an internally contractive map ip: Q x — > £l x (proved by 
external induction on ip). Therefore, by Theorem 12.91 31 r: 0, .(p(r) = r holds in S. By 
description (aka axiom of unique choice), which holds in any topos [26], there is then a 
morphism R : 1 — > Q x such that <p(R) = R in <S, and since internal and external equality 
coincides, also <p(R) = R externally as morphisms 1 — > f2 . In summa, we have shown the 
well-definedness of recursive predicates r = <p(r) where r only occurs guarded by t> in cp. 
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Note that we have proved the existence of recursive guarded relations (and thus do 
not have to add them to the language with special syntax) since we are working with a 
higher-order logic. 

Example 2.11. Suppose R C X x X is some relation on a set X. We can include it into 
<S by using the functor A: Set — > S, obtaining AR C AX x AX. Consider the recursive 
relation 

R?(x, y)4^(x = y)y 3z.(AR(x, z) A > R u (z, y)) . 
Now, n + 1 |= R u (x,y) iff (x,y) € \Jo<i< n R l or there exists z such that R n+1 (x,z). If i? is 
a rewrite relation then n + 1 |= R u {x,y) states the extent to which we can determine if x 
rewrites to y by inspecting all rewrite sequences of length at most n. 

A variant of Example 12.111 is used in Section [3j 



2.6. Recursive domain equations. In this section we present a simplified version of our 
results on solutions to recursive domain equations in S sufficient for the example of Section [3j 
The full results on recursive domain equations can be found in Section [5J 

Denote by r / n : 1 — > Y x the curried version of /: X — > Y. Following Kock [25l ] we 
say that an endofunctor F: S — >• S is strong if, for all X, Y, there exists a morphism 
F X ,Y ■ Y x -)■ FY FX such that F x ,y ° r / n = r i ? / n for all /. 

Definition 2.12. A strong endofunctor on S is locally contractive if each Fxy is contrac- 
tive, i.e., there exists a family Gx,y such that Gx,y next^y = Fxy and moreover G 
respects identity and composition, that is the following diagrams commute 

- ./vx „ r?Ys ►(comp) ► r id" 1 , vl , 



►(y A ) x — ^(y A x z Y ) — a ^(z A ) i - — - ►(x A ) 



Gx,Y x Gvz 




Gx 



X 



FY FX x C —^- ► FZ FX X x 

This notion readily generalizes to mixed-variance endofunctors on S. 

Remark 2.13. Definition 12 . 1 2 1 is slightly less general than the one given in the conference 
version of this paper [J] where local contractiveness simply required Fx,y to be contractive. 
The definition given here greatly simplifies the proof of existence of solutions to recursive 
domain equations, especially in the general presented in Section [8l and at the 

same time, the extra requirements used here do not rule out any examples we know of. In 
particular, the syntactic conditions for well-definedness of recursive types remain unchanged. 

The requirement of G commuting with composition and identity can be rephrased as G 
defining an enriched functor. In Section [6] we use this observation to generalise the notion 
of locally contractive functor. 

For example, ► is locally contractive (as witnessed by J (|2.ip ). and one can show that 
the composition of a strong functor and a locally contractive functor (in either order) is 
locally contractive (see Lemma 17.31 for a generalized statement). As a result, one can show 
that any type expression A(X, Y) constructed from type variables X, Y using ► and simple 
type constructors in which X occurs only negatively and Y only positively and both only 
under ► gives rise to a locally contractive functor. Indeed, in Section |4] we present such 
syntactic conditions ensuring that a type expression in dependent type theory induces a 
locally contractive functor. 
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Theorem 2.14. Let F: 5 op x5->5 be a locally contractive functor. Then there exists a 
unique X (up to isomorphism) such that F(X,X) = X. 

Section [8] gives a detailed proof of a generalised version of this theorem. Here we just 
sketch a proof. We consider first the covariant case. 

Lemma 2.15. Let F: S — > S be locally contractive and say that f : X — > Y is an n- 

isomorphism if fi is an isomorphism for all i < n. Then F maps n-isomorphisms to 
n + 1 -isomorphisms for all n. 

Since any morphism /: X — > Y is a 0- isomorphism F n (f): F n X — > F n Y is an n- 
isomorphism. Consider the sequence 



Fl „ F 2 (!) » F 3 (!) , 
Fl F 2 1 F 3 1 «— ^- F 4 1 ... (2.2) 

The sequence above is a sequence of morphisms and objects in S and so represents a diagram 
of sets and functions as in 



f(i)(i) 



fo: 



1 



*-(!)(!) 



F 2 (!)r 



F 3 (l)(l) 



F 3 (!) 



1 p4 



F 4 (l)(l) 



F(l)(2) F 2 (l)(2) £^ F 3 (l)(2 



2 t-^Mw-o, f t .3, , „oN F3 ( ! ) 2 F 4 (l)(2) 



F(l)(3) 



3 -cl 



f-(l)(3) 



F 2 



^3 r 3 



^(1)(3) 



F 3 (!) 



(2.3) 



3 774 



F 4 (l)(3) 



By the above observation, F n (\)k is an isomorphism for k < n, in other words, after 
iterations of F the first fc components are fixed by further iterations of F. Intuitively, we 
can therefore form a fixed point for F by taking the diagonal of (12. 3D . i.e, the object whose 
fc'th component is F k (l)(k). Indeed, in Section [8] we construct this object as the limit of 

Any fixed point for such an F must be at the same time an initial algebra and a 
final coalgebra: given any fixed point /: FX = X and algebra g: FY — )■ Y a morphism 
h : X — > Y is a homomorphism iff r h~ l is a fixed point of £ = A/c : X — )• Y. g o FA: o / . Since 
F is locally contractive, £ is contractive and so must have a unique fixed point. The case 
of final coalgebras is similar. 

Thus, S is algebraically compact in the sense of Freyd with respect to locally 

contractive functors. The solutions to general recursive domain equations can then be 
established using Freyd's constructions. 

Example 2.16. Recall the type Str of streams defined concretely in the model in Exam- 
ple [2J3 It can be defined in the internal language using Theorem 12.141 namely as the type 
satisfying the recursive domain equation 

Str ^ N x ► Str. 



Write i : iV X ► Str 
function.) 



Str for the isomorphism. (Observe that i m is nothing but the identity 



FIRST STEPS IN SYNTHETIC GUARDED DOMAIN THEORY 



11 



Now, we can define the successor function in the internal language as the fixed point of 
the following contractive function F : (Str — > Str) — > (Str — > Str): 

F(f) = As.let (n,i) 4= 

in i(n + 1, J(next/)(t)) 

Note that F is clearly contractive (in the external sense) since the argument / is only used 
under next in F(f). Hence F has a fixed point, which is indeed the successor function from 
Example 12.11 i.e., succ = fixstr-tStrF- 

3. Application to Step-Indexing 

As an example, we now construct a model of a programming language with higher-order 
store and recursive types entirely inside the internal logic of <S. There are two points we 
wish to make here. First, although the programming language is quite expressive, the 
internal model looks — almost — like a naive, set-theoretic model. The exception is that 
guarded recursion is used in a few, select places, such as defining the meaning of recursive 
types, where the naive approach would fail. Second, when viewed externally, we recover 
a standard, step-indexed model. This example therefore illustrates that the topos of trees 
gives rise to simple, synthetic accounts of step-indexed models. 

All definitions and results in Sections 13.11 to 13.41 are in the internal logic of S. In 
Section 13.51 we investigate what these results mean externally. 

3.1. Language. The types and terms of F„ follows: 

r ::= 1 | t\ x t 2 | fia.r | Va.r | a \ T\ — > t 2 | ref r 

t ::=x | I | () | (h, t 2 ) | fsti | snd t \ fold t | unfold t \ 

Aa.t | t [t] I Xx.t | t\ t% | ref t \ It \ t\ := t 2 

(The full term language also includes sum types, and can be found in Appendix [XJ) Here / 
ranges over location constants, which are encoded as natural numbers. 

More explicitly, the sets OType and OTerm of possibly open types and terms are defined 
by induction according to the grammars above (using that toposes model W-types 0j), 
and then by quotienting with respect to a-equivalence. 

The set OValue of syntactic values is an inductively defined subset of OTerm: 

v ::= x | I | () | (vi, v 2 ) \ fold v \ Aa.t \ Xx.t 

Let Term and Value be the subsets of closed terms and closed values, respectively. Let 
Store be the set of finite maps from natural numbers to closed values; this is encoded as 
the set of those finite lists of pairs of natural numbers and closed values that contain no 
number twice. Finally, let Config = Term x Store. 

The typing judgements have the form H | T h t : r where E is a context of type variables 
and r is a context of term variables. The typing rules are standard and can be found in 
Appendix |Al Notice, however, that there is no context of location variables and no typing 
judgement for stores: we only need to type-check terms that can occur in programs. 
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3.2. Operational semantics. We assume a standard one-step relation step: ^(Conng x 
Config) on configurations by induction, following the usual presentation of such relations 
by means of inference rules (see, e.g., the online appendix to [13J). For simplicity, allocation 
is deterministic: when allocating a new reference cell, we choose the smallest location not 
already in the store. Notice that the step relation is defined on untyped configurations. 
Erroneous configurations are "stuck." 

So far, we have defined the language and operational semantics exactly as we would in 
standard set theory. Next comes the crucial difference. We use Theorem 12.91 to define the 
predicate eval: "P(Term x Store x ^(Value x Store)), 

eval(i, s, Q) 

44 (t E Value A Q(t, s)) V 
(3ti : Term, si : Store. 

step ((t,s),(t i, si)) A >eval(ii,si,Q)) 

Intuitively, the predicate Q is a post-condition, and eval(i, s,Q) is a partial correctness 
specification, in the sense of Hoare logic, meaning the following: (1) The configuration (t, s) 
is safe, i.e., it does not lead to an error. (2) If the configuration (t,s) evaluates to some 
pair (v,s'), then at that point in time (v,s ! ) satisfies Q. We shall justify this intuition in 
Section 13.51 below. The use of > ensures that the predicate is well-defined; in effect, we 
postulate that one evaluation step in the programming language actually takes one unit of 
time in the sense of the internal logic. As we shall see below, this "temporal" semantics is 
essential in the proof of the fundamental theorem of logical relations. 

Notice how guarded recursion is used to give a simple, coinduction-style definition of 
partial correctness. The Lob rule can then be conveniently used for reasoning about this 
definition. For example, the rule gives a very easy proof that if (t, s) is a configuration that 
reduces to itself in the sense that step((i, s), (i, s)) holds, then eval(£, s, Q) holds for any 
Q. The Lob rule also proves the following results, which are used to show the fundamental 
theorem below. 

Proposition 3.1. Let Q, Q' £ "P(Value x Store) such that Q C Q' . Then for all t and s we 
have that eval(i, s, Q) implies eval(i, s, Q'). 

Proposition 3.2. For all stores s, all terms t, all evaluation contexts E such that E[t] 
is closed, and all predicates Q £ "P(Value x Store), we have that eval(E[t], s,Q) holds iff 
eval(£,s, \(v\, si).ev&l(E[vi], s\,Q)) holds. 

3.3. Definition of Kripke worlds. The main idea behind our interpretation of types is 
as in [5j, [8(: Since F M re f includes reference types, we use a Kripke model of types, where a 
semantic type is defined to be a world-indexed family of sets of syntactic values. A world is a 
map from locations to semantic types. This introduces a circularity between semantic types 
T and worlds W, which can be expressed as a pair of domain equations: W = N — >fi n T 
and T = W ^mon P(Value). 

Rather than solving the above stated domain equations exactly, we solve a guarded 
variant. More precisely, we define the set 

f = nX. ►((iV -> fin X) ^ mon P(Value)) . 
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Here N -s> fin X is the set YIa-.v^n) xA where V^ n {N) = {A C N \ 3mVn G A. n < m}. 
The set YlA:V^ n (N) ^ * s ordered by graph inclusion and -> mon is the set of monotonic 
functions realized as a subset type on the function space. 

The type T can be seen to be well-defined as a consequence of the theory of Section [H 
in particular Proposition 14.101 Alternatively, observe that the corresponding functor is of 
the form F = ► o G. Here G is strong because its action on morphisms can be defined as a 
term Y x — > GY GX in the internal logic. Now, since ► is locally contractive so is F. Hence 
by Theorem I2.14( F has a unique fixed point T, with an isomorphism i: T — > F(T). We 
define 

W = N ^ fin f , T = W ^ mo „ P(Value) , 

and T c = W — > 'P(Term). Notice that T is isomorphic to ► T. We now define app : T — > T 
and lam: T — > T as follows. First, app is the isomorphism i composed with the operator 
d : ► T — )• T given by 

cZ(/) = Xw.Xv.succ(J(J(f) (next to)) (next u)), 

where J is the map in (12. ip and succ : ► — > is as defined on page EJ (This is a general 
way of lifting algebras for ► to function spaces.) Here one needs to check that d is well- 
defined, i.e., preserves monotonicity. Second, lam: T — > T is defined by lam = i" 1 o next f. 

Define D> : T — > T as the pointwise extension of [> : Vl — > fi, i.e., for v G T, w G W and 
u € Value, we have that (> v){w){v) holds iff >(i/(iu)(w)) holds. 

Lemma 3.3. app o lam = > : T — > T. 

3.4. Interpretation of types. Let TVar be the set of type variables, and for r G OType, 
let TEnv(r) = { ip G TVar — ^g n T | FV(r) C dom(c^) }. The interpretation of programming- 
language types is defined by induction, as a function 

[■]: [] TEnv(r)^T. 

re OType 

We show some cases of the definition here; the complete definition can be found in Appen- 
dix GL2j 

{a](p = f(a) 

[n x T 2 }(p = Xw. {(ui, v 2 ) I vi G [ri](/?(u;) A t; 2 G [r 2 ]^(w)} 

[ref r]^ = Aw. { Z | / G dom(u>) A Vu>i > w. app(w(Z))(u;i) = >(|t]^?)(u?i) } 

[Va.rjy? = Aw. { Aa.t \ W G T ■ Vu/i > w.t £ comp(lT}(p[a \-t is])(wi) } 

Ifia.rjip = fix (Xv. Xw. { fold v \ >(v G [r](/p[a i-> u] (w))}) 

\t\ ^T2]v? = Xw. { Xx.t | Vwi > w.Vu G Iti]</j(wi). i[t>/x] G comp([r2]y)(wi) } 

Here the operations comp : T — > T c and states : W — > "P(Store) are given by 

comp{v)(w) = { t \ Vs G states{w). eval(t, s, X(v±, s\). 3w± > w. 

v% G v(wi) A si G states{w\)) } 

states (w) = {s | dom(s) = dom(u>) A 

VZ G dom(w). s(Z) G app(iu(Z))(u;) }. 
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Notice that this definition is almost as simple as an attempt at a naive, set-theoretic 
definition, except for the two explicit uses of >. In the definition of [/ia.r], the use of t> 
ensures that the fixed point is well-defined according to Theorem 12.91 As for the definition 
of [ref r], the > is needed because we have [> instead of the identity in Lemma [3751 In both 
cases, the intuition is the usual one from step-indexing: since an evaluation step takes a 
unit of time, it suffices that a certain formula only holds later. 

Proposition 3.4 (Fundamental theorem). If h t : r, then for all w G W we have t G 
comp{\T\$)(w) . 

Proof. To show this, one first generalizes to open types and open terms in the standard 
way, and then one shows semantic counterparts of all the typing rules of the language. See 
Appendix IA.3I To illustrate the use of D>, we outline the case of reference lookup: h It : r. 
Here the essential proof obligation is that v G [ref r]0(w) implies \v G comp{\T\ l i)){w). To 
show this, we unfold the definition of comp. Let s G states(w) be given; we must show 

eval(\v, s, X(v\, s\). 3w\ >w.v\ G [r]0(wi) A s\ G states{w\)) . (3-1) 

By the assumption that v G [ref r]0(w), we know that v = I for some location I such that I G 
dom(w) and app(w(/))(wi) = >([t]0)(u;i) for all w\ > w. Since s G states(w), we know that 
I G dom(s) = dom(w) and s(l) G &pp(w(l))(w). We therefore have step((!u, s), (s(l), s)). 
Hence, by unfolding the definition of eval in (13. ip and using the rules from Proposition 12. 7\ 
it remains to show that 3wi > w. >{s(l) € [r]0(wi)) A >(s £ states{w\)). We choose 
w\ = w. First, s £ states{w) and hence \>{s G states(w)). Second, s(l) G app(u>(7))(u>) = 
>([r]0)(w), which means exactly that >(s(l) G [r]0(w)). □ 

3.5. The view from the outside. We now return to the standard universe of sets and 
give external interpretations of the internal results above. One basic ingredient is the fact 
that the constant-presheaf functor A : Set — > S commutes with formation of VF-types. 
This fact can be shown by inspection of the concrete construction of VF-types for presheaf 
categories given in [281 ] . 

Let OType' and OTerm' be the sets of possibly open types and terms, respectively, 
as defined by the grammars above. Similarly, let Value', Store', Config', and step' be the 
external counterparts of the definitions from the previous sections. 

Proposition 3.5. OType = A(OType'), and similarly for OTerm, Value, Store, and 
Config. Moreover, under these isomorphisms step corresponds to Astep' as a subobject 
of Config x Config. 

This result essentially says that the external interpretation of the step relation is world- 
independent, and has the expected meaning: for all n we have that n \= step((t', s'), (t' , s')) 
holds iff (t, s) actually steps to (t',s') in the standard operational semantics. We next 
consider the eval predicate: 

Proposition 3.6. n \= eval(i, s, Q) iff the following property holds: for all m < n, if (t, s) 

reduces to (v, s') in m steps, then (n — m) \= Q(v, s'). 

Using this property and the forcing semantics from Section 12.41 one obtains that the 
external meaning of the interpretation of types is a step-indexed model in the standard sense. 
In particular, note that an element of "P(Value)(n) can be viewed as a set of pairs (m, v) of 
natural numbers m <n and values which is downwards closed in the first component. 
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3.6. Discussion. For simplicity, we have just considered a unary model in this extended 
example; we believe the approach scales well both to relational models and to more sophisti- 
cated models for reasoning about local state 0,0; I n particular, we have experimented 
with an internal- logic formulation of parts of [7] , which involve recursively defined relations 
on recursively defined types. 

As mentioned above, the operational semantics of this example was for simplicity chosen 
to be deterministic. We expect that one can easily adapt the approach presented here to 
non-deterministic languages. For that, the evaluation predicate must be changed to quantify 
universally (rather than existentially) over computation steps, and errors must explicitly be 
ruled out, as in: 

eval'(t, s, Q) 

Value -» Q(t, s)) A -ierror(i, s) A 
(Vti : Term, s\ : Store. 
step((t,s), (ti,si)) -> >eval'(ti,si,Q)). 
As mentioned in the Introduction, in [5[ the recursive equation for T was solved in the 
category CBUlt of ultrametric spaces. Using the space T the model was then defined in the 
usual universe of sets in the standard, explicit step-indexed style. Here instead we observe 
that the relevant part of CBUlt is a full subcategory of S (Section [5}, solve the recursive 
equation in <S, and then stay within S to give a simpler model that does not refer to step 
indices. In particular, the proof of the fundamental theorem is much simpler when done in 
S. 

4. Dependent Types 

Since S is a topos it models not only higher-order logic over simple type theory, but also 
over dependent type theory. The aim of this section is to provide the semantic foundation 
for extending the dependent type theory with type constructors corresponding to ► and 
guarded recursive types, although we postpone a detailed syntactic formulation of such a 
type theory to a later paper. 

Recall that dependent types in context are interpreted in slice categoriesjl in particular a 
type r h A is interpreted as an object of <S/[r]. To extend the interpretation of dependent 
type theory with a type constructor corresponding to ►, we must therefore extend the 
definition of ► to slice categories. 

4.1. Slice categories concretely. Before defining ►/ : S/I — > S/I we give a concrete 
description of the slice categories S/I. 

We first recall the construction of the category of elements for presheaves over partial 
orders. For B a partial order, we write B for the category of presheaves over B, i.e., category 
of functors and natural transformations from B op to Set. 

Definition 4.1. Let B be a partially ordered set and let X be a presheaf over B. Define 
the partially ordered set of elements of X as J X = {(b,x) | b € B A x £ X(b)} with order 
defined as (6, x) < (c, y) iff b < c and y\b = x. 

°Fbr now we follow the practise of ignoring coherence issues related to the interpretation of substitution 
in codomain fibrations since there are various ways to avoid these issues, e.g. [Is| . See the end of the section 
for more on this issue. 
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Note that if one applies this construction to an object X of S one gets a forest f X: 
the roots are the elements of X(l) the children of the roots are the elements of X(2) and 
so on. Indeed any forest is of the form j X for some X in S. 

Proposition 4.2. Let B be a partially ordered set and let I be a presheaf over B. Then 
B/I ~ fl. 

Proof. This is a standard theorem of sheaf theory 27|, Ex. III. 8], and we just recall one 
direction of the equivalence. An object px '■ X — > I of the slice category B/I corresponds 
to the presheaf that maps (b, i) € / / to {px)b~ (*)• D 

Thus we conclude that the slices of S are of the form presheaves over a forest. 



4.2. Generalising ► to slices. There is a simple generalisation of the ► functor from S 
to presheaves over any forest J I: if X is a presheaf over J I then 



w \ f 1 if n = 1 

►/ X (n, i) = < „, 1 ., . , 

v ' ; |I(n-l,i|„ 4 ) if n > 1 



In Section [8] we shall see how to generalise this even further. 

The map nextx : X — > ►/ X is represented by the following natural transformation in 

next (lii )(x) = * 
next( n+lii) (x) = x|(n,t| n ) 

The fixed point combinator also generalizes to slices. Indeed, if / : X — > X in J I is 
contractive, in the sense that there exists a g : -> J such that / = g o next, then we 

can construct a fixed point of / (i.e., a natural transformation 1 — > X) by: 

= 0(l,t)(*) 

This construction generalises to a fixed point combinator fixx : (►/ X — » X) — > X satisfying 
the properties of the global fixed point operator described in Theorem 12.41 

Proposition 4.3. Letpy. Y — > I be an object ofS/I. There is a map ►jY — >■ ►Y making 
the diagram below a pullback. 

►/Y ► y 

I 



P+rY 



+-VY 



next 
/ ►/ 

One could have also taken the pullback diagram of Proposition 14.31 as a definition of 
and indeed we do so in our axiomatic treatment of models of guarded recursion in Section [6j 

The definition above allows us to consider ► as a type constructor on dependent types, 
interpreting [T h ► AJ = ►| r j([r h A\). The following proposition expresses that this in- 
terpretation of ► behaves well wrt. substitution. 

Proposition 4.4. For every u: J — > / inS there is a natural isomorphism u*o^j = ► j o«* . 

As a consequence, the collection of functors (►/)/e5 define a fibred endofunctor on the 
codomain fibration. Moreover, next defines a fibred natural transformation from the fibred 
identity on the codomain fibration to ►. 
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We remark that each ►/ has a left adjoint, but in Section \6. II we prove that this family 
of left adjoints does not commute with reindexing. As a consequence, it does not define a 
well-behaved dependent type constructor. 



4.3. Recursive dependent types. Since the slices of S are cartesian closed, the notions 
of strong functors and locally contractive functors from Definition 12.121 also make sense in 
slices. Thus we can formulate a version of Theorem 12.141 generalised to all slices of S. The 
next theorem does that, and further generalises to parametrized domain equations, a step 
necessary for modelling nested recursive types. 

For the statement of the theorem recall the symmetrization F : (C op x C) n —> C op x C 
of a functor F: (C op xC)"^C defined as F(X, Y) = (F(Y , X), F(X ,?)). 

Theorem 4.5. Let F : ((S/I) op x S/I) n+1 — > S/I be strong and locally contractive in the 
(n + l)th variable pair. Then there exists a unique (up to isomorphism) 

FixF: ((5//) op x S/I) n -+S/I 

such that F o (id, Fix F) = FixF. Moreover, if F is locally contractive in all variables, so 
is FixF. 

We postpone the proof of this theorem to Section [81 where we prove the existence of 
solutions to recursive domain equations for a wider class of categories and functors. 

One can prove that the fixed points obtained by Theorem 14.51 are initial dialgebras in 
the sense of Freyd 15l4l7||. This universal property generalises initial algebras and final coal- 
gebras to mixed- variance functors, and can be used to prove mixed induction / coinduction 
principles (3lj . 

The formation of recursive types is well-behaved wrt. substitution: 
Proposition 4.6. If 



((s/ir x s/i) 



n+1 



S/I 



((5/J) op x S/J) n+l S/J 



commutes up to isomorphism, so does 



Fix F 

((5//) op x S/I) n S/I 



u 



((s/j) op x s/jy 



FixG 



u 



S/J 



For the moment, our proof of Proposition 14.61 is conditional on the existence of unique 
fixed points, i.e., we prove that if Fixi 7 and FixG exist, then they make the required 
diagram commute up to isomorphism. 

Proof. Note that Fix G o u* is the unique H up to isomorphism such that 

G(u*(X,Y),H(X,Y))) H(X,Y). 
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Now, 

G(u*(X,Y),((u*^FixF)(X,Y))) = G(u*(X, Y) , u* (FixF (X , Y))) 

u*(F(X,Y, Fh^F(X, Y))) 
u*Fh^F(X,Y)) 

and so we conclude u*FixF(X, Y) F]xG(u*(X, Y)) □ 

4.4. A higher order dependent type theory with guarded recursion. In this section 
we sketch a type theory for guarded recursive types in combination with dependent types 
and explain how it can be interpreted soundly in S. Since the type theory is an extension 
of standard higher-order dependent type theory, which can be interpreted in any topos, we 
focus on the extension to guarded recursion, and refer to [23| for details on dependent higher- 
order type theory and its interpretation in a topos. This section is meant to illustrate how 
the semantic results above can be understood type theoretically; we leave a full investigation 
of the syntactic aspects of the type theory to future work. 

Recursive types are naturally formulated using type variables, and thus we allow types 
to contain type variables. Hence our type judgements live in contexts T that can be formed 
using the rules below 

r h t : Type T : Ctx 

: Ctx (r, x : t) : Ctx (T, X : Type) : Ctx 

Type variables can be introduced as types using the rule 

T : Ctx 

X : Type 6 T 

r h X : Type 

The exchange rule of dependent type theory should be extended to allow a type variable X 
to be exchanged with a term variable x : a if X does not appear in a. 

Dependent products and sums and subset types are added to the type theory in the 
usual way j^, but we also add a special type constructor called ► which acts as a functor. 
The rules are 

r h r : Type r h M : a -> r 

TI-^r:Type r h ►(M) : ► a ► r 

and the external equality rules include equations expressing the functoriality of ►. More- 
over, we add, for each pair of types <r, r in the same context, a term of type ► a x ► r — > 
► (dxr) plus equations stating that this is inverse to (►(7Ti), ►(^2)) : ►(<r x r) — s- ► a x ► t. 
The natural transformation next is introduced as follows: 

T h r : Type 

r h next r : r — > ► r 

plus equality rules stating that next T is natural in r (i.e., nexto- o u = ►(u) o next T ). We 
omit term formation rules for fixed point terms. 

We now introduce the notion of functorial contractiveness which will be used as a condi- 
tion ensuring well-formedness of recursive types. The definition is a syntactic reformulation 
of the semantic notion of local contractiveness. 
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A type t is functorial in A if there is some way to split up the occurences of the variables 
A in t into positive and negative ones, in such a way that r becomes a functor expressible 
in the type theory. Above, and in the exact definition below we use vectors X to denote 
vectors of type variables and use x : a to denote vectors of typing assumptions of the form 
x\ : a\ . . . x n : a n . An assumption of the form / : X — > Y means /i : X\ —tYi,...f n : X n — > 
Y n . 

Definition 4.7. Let T, X : Type h r : Type be a valid typing judgement. We say that r is 
functorial in X if there exists some other type judgement T,X : Type,y : Type h r' : Type 
and a term 

r, A_, A+, y+, /: A+ -> A_, 5 : Y_ -> f + h st(/, g) : r'(A_, K_) t'(X+,Y+) 

(writing t'(aL,Y_) for r'[A_, F]) such that t'(X,X) = r, and such that st is 

functorial in the sense that st(id, id) = id, st(/ o /', g 1 o g) = st(/', g 1 ) o st(/, g). 

The definition of r being contractively functorial in X is similar, except that the 
strength st(f,g) must be defined for /: ►(A + — > X-),g: — > Y + ). To make sense of 
functoriality write f'of for the composite 

►(a ->■ y) x ►(y z) ►((x -> y) x (y -> z)) ^^ com ^ ►(a z) 

applied to /' and /. 

Definition 4.8. Let T, A : Type h r : Type be a valid typing judgement. We say that r is 
contractively functorial in A if there exists some other type judgement T, X : Type, Y : Type h 
t' : Type and a term 

r, A_,y_, X+,Y + J: >{X+ -> XJ),g: -> f+) h st(/,5) : r'(A_,y_) -> r'(A + ,y + ) 

such that r'(A,A) = r, and such that st is functorial in the sense that st(id, id) = id, 
st(/ o /', g> o g) = st(/', g 1 ) o st(/, g). 

Lemma 4.9. 7/r is contractively functorial in X then it is also functorial in A. 

We now give the introduction rule for recursive types 
T, A: Type h r : Type 

r contractively functorial in A 

T h juA.r : Type 

As usual, there are associated term constructors fold M and unfold M that mediate between 
the recursive type and its unfolding together with equations expressing that fold and unfold 
are each others inverses. 

There is a rich supply of types contractively functorial in A as can be seen from the 
following proposition. Proposition 14.101 is stated compactly, and some of the items in fact 
cover two statements. For example, item @ states that if a is functorial, so are JX. j a and 
J2i - i °~ an d if cr is contractively functorial so are I o and 1 a. 

Proposition 4.10. Let X be type variables and let <t,t be types 

(1) any type variable X is functorial in X 

(2) if X do not appear in a then a is contractively functorial in X 

(3) if a and r are both (contractively) functorial in X so are a — > r and a x r 
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(4) if a is (contractively) functorial in X and X do not appear in I then Y\i j o~ and Y^i - 1 a 
are both (contractively) functorial in X 

(5) If a is (contractively) functorial in X (witnessed by a' and st a ) and 4> is a predicate on 
a' such that 

then {x: a \ <fi[X /Y](x)} is (contractively) functorial in X . 

(6) If a is functorial in X, then ► a is contractively functorial in X . 

Item ([5]) uses the notation <j)jt ^ for (f)[X-,Y-/X, Y\. 

Proof. The proof is a standard construction of functors from type expressions, and we just 
show a few examples. For ([3]) if a' and r' along with st^ and st T witness that a and r are 
functorial, then a'(Y,X) — > t' along with st CT ^ ) . T (f, g) defined as 

Xh: a'{Y-,XJ) r'(X-,±). S t T (f,g) o h o s t a (g, f) 

witness that a — > r is functorial. 

For the assumption gives us a type a' plus a term 

T,i: I,X_,Y-,X+,Y+,f: X+ -»• X-,g: Y^^Y + Y~ st CT (/,ff) : a'{X„,Y„) -> a'(X + ,Y + ) 

and we can define strr. a (f,g) as 

Ax: il i:I o-'(X„,Y„).Xi: J.st CT (/, 5)(x(i)) 

(This uses the exchange rule mentioned earlier.) 

For item[5]the assumption is exactly the condition needed to show that st CT (/, g) restricts 
to a term of the type 

{x: Y_) | <f>x_?_(x)} -»• {x: | ^ +j?+ (x)} □ 

To allow for nested recursive types, one needs to prove that if a is functorial in X and 
contractively functorial in Y, then fiY.a is functorial in X. In the type theory sketched 
above this is not provable because in general st At y. -(/, g) is not definable, but as we shall see 
when we sketch the interpretation of the type theory, it is safe to add stuKa as a constant, 
together with appropriate equations, such that nested recursive types can in fact be defined. 

Remark 4.11. The rules for well-definedness of recursive types are complicated because of 
the subset types, which require explicit mention of the syntactic strength st. Alternatively, 
one could give a simple grammar for well-defined recursive types not including subset types, 
but including nested recursive types not mentioning st, and then show how to interpret 
these by inductively constructing the contractive strength in the model. We chose the 
above approach because it is more expressive and because the subset types are needed in 
applications as illustrated in Section 13.31 
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4.5. Interpreting the type theory. The interpretation of an open type T h a : Type 
is defined modulo an environment mapping the type variables in T to semantic types, i.e., 
objects in slice categories. Precisely, if T is of the form T',X : Type, T" then p should map 
X to an object of 5/[r'] p / where p' is the restriction of p to the type variables of V . The in- 
terpretation of open types is defined by induction and most of the cases are exactly as in the 
usual interpretation of dependent type theory [23], and we just mention the new cases. The 
interpretation of a type variable introduction is defined as fT', X : Type, V" h X : Type] = 
Py T ,(p(X)), where pr,r' denotes the projection [r] p — >■ [r'] p . The interpretation of ► is 
defined as [T h ► a : Type] = ►[r] p ([r h ► a : Type]). 

For the interpretation of recursive types, note that for every type r, X h a : Type 
functorial in X and every environment p mapping the free type variables in T to semantic 
types, one can define a strong functor of the type 

H P : (5/[T^x5/m/U5/|r|p 

as follows. Assuming that the functoriality of a is witnessed by a' and st as in Defini- 
tion H21 the action of [cr] p on objects is defined by the interpretation of a'. Given objects 
A_, Af, B + of 5/[r] p the interpretation of st is a morphism in iS/[r] p of the type 

A A _f x ••• x A A _^ x < T 1 x ... x <r B + )l°U*-,$-) 

where the products and exponentials are those of the slice 5/[r] p . The interpretation of st 
defines the strength of [cr] p , from which the action of [<r] p on morphisms can be derived in 
the usual way. 

Similarly, if a is functorial in the n first type variables and contractively functorial in 
the last one then the interpretation of the witness st defines a strong functor which is locally 
contractive in the last variable and so we can define [//X.r] p = Fix([r] p ) using the fixed 
point given by Theorem 14.51 

There is a question of well-definedness here, since the fixed point of [<r] p a priori could 
depend on the choice of a' and st. The uniqueness of the fixed point of Theorem 14. 5} 
however, ensures that even for different such choices, the resulting |o"] p will be isomorphic. 
Usually, a comes with a canonical choice of a' and st as given by Proposition 14.101 

As mentioned earlier, for allowing nested recursive types in the type theory we need 
to add constants of the form st p y.o-(/, g). Having sketched the interpretation of the type 
theory we can now see that it is safe to do so: st^y, a (f , g) can be interpreted using the 
strength of Fix [o"] p which exists by Theorem 14.51 

4.6. On Coherence. Above, we have worked in the codomain fibration and ignored co- 
herence issues, i.e., the fact that the codomain fibration and the associated fibred functors 
needed for the interpretation of the type theory are not split. One further advantage of the 
concrete representation of slices S/I as presheaves over J I is that the latter gives rise to a 
split model. The idea is to form a split indexed category P : S —> Cat op , with fibre over / 

given by P(I) = J I, and reindexing P(u : I — > J) given by P{u){X)(n,i) = X{u n {i)). By 
forming the Grothendieck construction [23[ on P one obtains a split fibration Fam(5) — > S 
which is equivalent to the codomain fibration. Then one uses this fibration to interpret the 
types and terms without free type variables, and uses split fibred functors 

(Fam(5) [rl op x Fam(S) [r] )l l Fam(5) [rl 
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to interpret open types r h r : Type. Finally, one checks that the fibred constructs (e.g., 
right adjoints to reindexing) used to interpret the dependent type theory are split, and that 
► and the construction of recursive types is also split. The latter essentially boils down to 
observing that the actual construction of initial algebras in Section 8 is done fibrewise and 
thus preserved on-the-nose by reindexing. We omit further details. 



5. Relation to metric spaces 



Let CBUlt be the category of complete bounded ultrametric spaces and non-expansive maps. 
In E3] only those spaces that were also bisected were used: a metric space is bisected 
if all non-zero distances are of the form 2~ n for some natural number n > 0. Let BiCBUlt 
be the full subcategory of CBUlt of bisected spaces, and let BiUlt be the category of all 
bisected ultrametric spaces (necessarily bounded). 

Let tS be the full subcategory of S on the total objects. 

Proposition 5.1. There is an adjunction between BiUlt and S, which restricts to an 
equivalence between tS and BiCBUlt, as in the diagram: 

tS * T 



S 



F 



BiCBUlt _l BiUlt 

Proof sketch. The functor F : BiUlt — > S is defined as follows. A space (X, d) £ BiUlt gives 
rise to an indexed family of equivalence relations by x = n x' d(x,x') < 2~ n , which can 
then be viewed dbS ci preshecif! git index ti, it is the quotient — n)? see, e.g. hrjl. One can 
check that F in fact maps into tS and that F has a right adjoint that maps into BiCBUlt. 
The right adjoint maps a variable set into a metric space on the limit of the family of 
variable sets; the metric expresses up to what level elements in the limit agree. The left 
adjoint from BiUlt to BiCBUlt is given by the Cauchy-completion. □ 

Proposition 5.2. A morphism in BiCBUlt is contractive in the metric sense iff it is 
contractive in the internal sense of S. 

The later operator on <S corresponds to multiplying by | in ultra-metric spaces, except 
on the empty space. Specifically, F(hX) is isomorphic to >-(FX), for all non-empty X. For 
ultra- metric spaces, the formulation of existence of solutions to guarded recursive domain 
equations has to consider the empty space as a special case. Here, in S, we do not have to 
do so, since ► behaves better than ^ on the empty set. 



6. General models of guarded recursive terms 

Having presented the specific model <S we now turn to general models of guarded recursion. 
We give an axiomatic definition of what models of guarded recursion are, and in Section [8] 
we show that S is just one in a large class of models. 

We start by defining a notion of model of guarded recursive terms, and showing that 
the class of such models is closed under taking slices. This result is not only of interest 
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in its own right, but also needed for showing that the general models of Section [8] model 
guarded recursive dependent types. 

Definition 6.1. A model of guarded recursive terms is a category £ with finite products 
together with an endofunctor ► : £ — > £ and a natural transformation next : id — > ► such 
that 

• for every morphism / : ► X — > X there exists a unique morphism h : 1 — > X such that 
/ o next oh = h. 

• ► preserves finite limits 

Lemma 6.2. If £ models guarded recursive terms then ► is strong. 

Proof. Using next one can define a strength for ► as the composite 

£S onext x id: X x + Y ->■ ►X x ->■ ►(X x Y) . □ 

The notion of contractive morphism as well as Lemma [2.3l and Theorem 12.41 generalises 
directly to the current setting. 

Theorem 6.3. If £ is a locally cartesian closed model of guarded recursive terms, then so 
is every slice of £. 



To prove Theorem 16.31 we must first show how to generalise ► to slices. We do this by 
taking the pullback diagram of Proposition 14.31 as a definition of ►/ X. In other words we 
define ►/ as the composite 



£/I 



► , next* 
— £/►/ - £/I 



(6.1) 

where the first functor maps px '■ X I to ► (px )'■ ► X — > ► / and the second is given 
by pullback along next. Recall that next* has a left adjoint ]J ncxt mapping py : Y 



I 



to next o py and so preserves limits. It is easy to see that also the first functor of (|6.1 
preserves finite limits because ► does, and thus we have the following: 

Lemma 6.4. The functor ►/: £/I —> £/I preserves finite limits. 

We define next/ : py — > p+j y in the slice over I as indicated in the diagram below 




► Y 



>py 



It is easy to show that next/ is a natural transformation. 

The following proposition states that ► defines a fibred functor and hence can serve as 
a type constructor in the dependent type theory of £. 
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Proposition 6.5. For every u: J —■ I in S the following diagram commutes up to isomor- 
phism 

S/I — S/I 



u 



u 



E/ J ^ S/J. 

As a consequence, the collection of functors define a fibred endofunctor on the 

codomain fibration. 

Proof. We can write the diagram as a composite as below. 

s/i^s/»i^s/i 



■u)* 



S/J — S/> J 



next* 



u 



S/J . 



The square on the left commutes because ► preserves pullbacks, the one on the right follows 
from the naturality square for next. □ 

Proposition 6.6. The collection of next morphisms defines a fibred natural transformation 
from the fibred identity on the codomain fibration to ► : 

id 

s- 




Proof. A fibred natural transformation between fibred functors is a natural transformation 
with vertical components. The components of next are clearly vertical, but we must show 
that next defines a natural transformation between the two functors on the total category 
£~*. So consider a morphism in S^ from Y — > I to X — >■ J, and write it as a composition 




of a vertical morphism g and a cartesian morphism /. We must verify naturality diagrams 
for next with respect to / and g. Naturality wrt. g is just naturality of next as a functor 
S/I — > S/I, and naturality wrt. / can be verified by a diagram chase that we omit. □ 

It remains to prove the existence (and uniqueness) of fixed points in slices. We do 
that by reducing those to global fixed points. In the next lemma we use internal language 
notation, writing jXi for the functor 

11:7-1 



S/I 



S/l 



£ 



applied to an object px : X —> I, where FJ,. T ^ is the right adjoint to !*, and using similar 
notation for the result of applying the same functor to morphisms. 
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Lemma 6.7. Suppose that /: px — > PY is a contractive morphism in slice £/I. Then 
Yli- 1 fi' Yli I Xi — > rii /^ i s a contractive morphism in £. As a consequence any con- 
tractive endomorphism in £/I has a unique fixed point. 

Proof. The assumption gives us a g such that / = g o next and from that we can derive a 
factorisation of \\ i . 1 fi as 

II v II " 1|| .„V " '.|| 

To show FJ. j fi contractive, it suffices to show commutativity of the triangle 

(6.2) 



„ TTi ■ 7 next „ 




Writing 7Tj for the term i: I h Ax: Yli- jXi.Xi : Xi the adjoint correspondent of f|6.2j) can 
be expressed in the internal language of £ as 

i: I,x: Yli- 1 Xi I - ►(tTi) o next(x) = next o 7Tj(x) : ►pQ) 

which is simply naturality of next. This sketch in the internal language can be turned into 
a formal diagrammatic argument. 

Now, it is easy to see that if / is an endomorphism then there is a bijective correspon- 
dence between fixed points of Yli- 1 fi in the global sense, and fixed points of / in the slice. □ 

Proof of Theorem 16.31 We have seen how every slice of £ has an endofunctor ►/ and 
a natural transformation next: id — > and we have seen that ►/ preserves finite limits 
(Lemma 16. 4h . Lemma 16.71 gives existence of the needed fixed points. □ 



6.1. A left adjoint to ►. In our model S, the functor ► has a left adjoint < mapping the 
presheaf 

X(l) <- X{2) <- X(3) <- ... 

to the presheaf 

X(2) <- X(3) <- X(4) 

Moreover, preserves limits and so H ► defines a geometric morphism from 5 to itself, 
in fact it is an embedding. Hence as defined in (|6.ip . has a left adjoint <i because next* 
has a left adjoint ^next an< ^ a ls° ^ : ^■/■^ ~~ ^ £ / >■ I has a left adjoint defined by mapping 
: -X" — )■ ► / to its adjoint correspondent ^ X — > I. 

Even though < preserves limits, <i does not. The simplest counter example is that of 
the terminal object id/ of £ /I which is mapped to the adjoint correpondent prev : <I — > / 
of next : So, in particular, <j H ►/ does not define a geometric morphism. 

We choose not to take as part of the basic structure of a model of guarded recursion 
because < in S does not define a fibred functor, and so it cannot be used in an internal 
language based on dependent type theory. To see why, observe that if /: J — > I then 
•^j/*(id/) = -^j(idj) = prevj and /* <i(idj) = /*prevj, and these two are in general not 
isomorphic. 
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Observe also that ► does not preserve dependent products, i.e., the diagram 



£/J^£/J 



e/i s/i. 

does not in general commute. The reason is that the diagram obtained by taking left 
adjoints to all functors above is the diagram stating that A is a fibred functor, which we 
have just established does not commute. 



6.2. An operation on predicates. We now assume that £ is a topos modelling guarded 
recursion and we shall see how to obtain the principle of Lob induction in £. 

As we have seen, ►x preserves limits, hence monos, and thus defines a map D> : Sub(X) — > 
Sub(X) for all X, which is easily seen to be order preserving. The term nextx verifies that 
m < > m. As a consequence of Proposition 16.51 this family is natural in X and thus, by 
the usual Yoneda argument, it corresponds to an operation on propositions > : f2 —¥ O. We 
now embark on proving the following theorem. 



Theorem 6.8 (Lob induction). 
in £. 



The reasoning principle Vp: Prop.([>p — >• p) — >• p is valid 



To prove the theorem, we need a few lemmas. The first describes the action of 
> : Sub(A) — >• Sub(X) as an action on characteristic maps. 

Lemma 6.9. Let m: M — > X be a mono and let Xm'- X —¥ O be its characteristic map. 
Then succ o ► \ m o next is the characteristic map of > (m) , where succ : ► f2 — >• fl is the 
characteristic map of the mono ► T : ► 1 — >■ ► O. 



Proof. Consider the diagram 



► M 



X 



J 

► m 

next 



J 



► 1 



► 



J 



T 



succ 



n. 



All the squares are pullbacks, and so also the outer square is a pullback, which proves the 
lemma. □ 

Subobjects of X correspond to morphisms X — > Q which in turn correspond to global 
elements of Q x . As a consequence of Lemma l6.9l the operation D> on subobjects corresponds 
to composing the global elements with the morphism Q x — > Q x mapping \ m to succo^ Xm° 
next. Since this morphism is contractive, it has a unique fixed point. 

Corollary 6.10. Let m be a subobject of X. Ift>{m) < m then m is the maximal subobject. 



Proof of Theorem 16.81 The principle is proved using Joyal-Kripke semantics, see 26|, 
Thm 8.4]. Using items (7) and (6) of the referenced theorem, it suffices to show that for 
any X and any /: X — > f2, if the map Ax: X. o f(x) — > f{x) factors through T: 1 — > Q, 
then so does /. Expressing this using subobjects rather than representable maps, we must 
show that, for any subobject m of X, if > m — > m is the maximal subobject, then so is m. 
But > m — > m is maximal iff > m < m, and so the principle follows from Corollary 16.101 Q 
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7. General models of guarded recursive types 

In this section we formulate the most general existence theorem for recursive types in models 
of guarded recursion. Moreover, we reduce the problem of solving general recursive domain 
equations to that of solving covariant domain equations using the uniqueness of fixed points 
in combination with Freyd's theory of algebraic compactness HI- 17]. 



Note first that Definition 12.121 of locally contractive functor on our concrete model S, 
carries over verbatim to general cartesian closed models £ of guarded recursive terms. 

Definition 7.1. A model of guarded recursive types is a cartesian closed model of guarded 
recursive terms (in the sense of Definition 16. 1|) £ such that every locally contractive functor 
F : £ — y £ has a fixed point (up to isomorphism) . A model of guarded recursive dependent 
types is a locally cartesian closed category whose slices all are models of guarded recursive 
types. 

As a justification of the above definition we shall prove that fixed points for locally con- 
tractive covariant functors give fixed points of general (locally contractive) mixed variance 
functors. In fact, we state and prove this not only for functors on £, but, more generally, 
for functors on ^-enriched categories. This is in line with classical work on recursive types 
in O-categories [HH (categories enriched in complete partial orders) and more recent work 
on recursive types in M-categories 0] (categories enriched in complete bounded ultrametric 
spaces). 

Recall that an £-enriched category C is a collection of objects together with for each 
pair of objects X, Y of C an ^-object Homc(AT, Y) together with composition morphisms 
Homc(A r , F) x Homc(y, Z) — > Homc(AT, Z) and morphisms r idx~ l - 1 — > Homc(A r , J) sat- 
isfying commutative diagrams corresponding to the rules for morphism composition in cat- 
egory theory [24]. To each enriched category C we can associate a category in the usual 
sense with the same objects as C and set of morphisms from X to Y all f-morphisms from 1 
to Homc(X, Y). This category is called the externalisation of C. Given a category C in the 
usual sense, we say that it is ^-enriched if there exists an ^-enriched category whose exter- 
nalisation is C. Any cartesian closed category C is self-enriched: one can take Homc(X, Y) 
to be the exponent Y x . 

The notion of locally contractive functor readily generalises to ^-enriched categories: 
if C is ^-enriched consider the £ -enriched category ^.C with the same objects as C, hom- 
objects Hom > .c(X, Y) = ►Homcp^, Y), composition given as the composite 

► Hom c (I,F) x ► Hom c (Y,Z) ^ ► (Hom c (X,Y) x Rom c (Y,Z)) > ^ comv \ ►Hom c (X,Z) 

and identity as next o r id n : 1 -> ► Hom c (X,X). Note that ►(CxD) = x and 

► (C op ) = (►C) op . The natural transformation next defines an enriched functor [24] C — > 

► C whose action on objects is the identity and whose action on morphisms is given by 
next: Bom c (X,Y) ->• ►Hom c (X,Y). 

Definition 7.2. An enriched functor F : D — >• C is locally contractive if it factors as a 
composition of enriched functors 

next „ 



Specialising Definition 17.21 to the case of S as self-enriched gives Definition 12.121 
Lemma 7.3. 
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(1) If F : B — y C and G: C — > D are enriched functors and either F or G is locally contrac- 
tive also GF is locally contractive. 

(2) If F: C — ^ ID) and G: C —t B' are locally contractive, so is F X G: C X C -> B X W . 

(3) Lei H : B x C — > B 5e enriched and suppose the enriched functor category B c exists. 
Then H is locally contractive in the first variable iff H: B — > B c is locally contractive. 

Definition 7.4. An f-enriched category C is contractively complete if any locally contrac- 
tive functor F: C — > C has a fixed point, i.e., an object X such that FX = X. 

The isomorphism FX = X is an isomorphism in the externalisation of C. Similarly, 
the notation f:X—>Y always refers to morphisms in the external version of C. 

We can now state the main theorem. It uses the symmetrization of G of a mixed 
variance functor G defined in Section [4.31 The proof follows after a brief series of lemmas. 

Theorem 7.5. Let £ be a model of guarded recursive terms, C be 8-enriched and contrac- 
tively complete, and let F: (C op x C) n+1 — > C be locally contractive in the (n+ l)th variable 
pair. Then there exists a unique (up to isomorphism) FixF: (C op x C) n — > C such that 

Fo (id, FixF) = FixF. Moreover, if F is locally contractive in all variables, so is FixF. In 
particular, the above statement holds for C= £ if £ is a model of guarded recursive types. 

Lemma 7.6. Let C be £ -enriched and let F: C — > C be a locally contractive functor. If 
X = F(X), then the two directions of the isomorphism give an initial algebra structure and 
a final coalgebra structure for F on X. In particular, if F{X) = X and F(Y) = Y, then 
X^Y. 

Proof. Given an isomorphism /: FX — > X and some other algebra g: FZ — > Z, h: X — > Z 
is an algebra homomorphism iff the diagram 



Fh 

FX FZ 



f 



-i 



h 

X Z 



commutes, i.e., iff h is a fixed point of the map h i— >■ g o F(h) o f , which is a contractive 
endomorphism on Homc(X, Z) (as F is locally contractive). Since this map has exactly 
one fixed point, we conclude that there is exactly one algebra homomorphism from / to g. 
The argument for final coalgebras is similar. □ 

There is also a morphism in £ computing the unique mediating homomorphism from 
the initial algebra. 



Lemma 7.7. Let C and F be as in Lemma 1 7. p[ and let f: FX — > X be an isomor- 
phism. For any Z there exists a morphism k: Tlomc(FZ,Z) — > Homc(X, Z) such that 
Mg: Homc(FZ, Z).k(g) o/ = <jo F(k(g)) holds in the internal language of £. 

Proof. Define k to be the fixed point of the map Homc(FZ, Z) xHomc(X, Z) — > Homc(X, Z) 
mapping g, h to g o Fh o / . □ 
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Lemma 7.8. Let C, B be E-enriched categories and let F: D x C — > C &e enriched and 
locally contractive in the second variable. If the functor F(X, — ) : C — > C /ias an initial 
algebra for all X in D, then there is an £ -enriched functor jj,F: D — > C mapping X to the 
carrier of the initial algebra. If, moreover, F is locally contractive in the first variable, then 
[iF is locally contractive. 

Proof. The functor \xF is defined (as is standard) to map /: X — > Y to the unique nF(f) 
making the diagram 

F(X,fiF(X)) . pF(X) 



F(X,»F(f)) 



»Hf) (7-1) 



F(X,nF(Y)) F{f,ld) > F(Y,nF(Y)) — fxF(Y) 

commute. Now, the enrichment of fiF is obtained by composing the morphism Homo(X, Y) — 
~Homc(F(X, /j,F(Y)), fj,F(Y)) mapping / to the composite in the bottom line of (I7.ip with 
the morphism of Lemma 17.71 In the case of F being locally contractive in both variables, 
the first stage of this composite morphism is contractive and so fiF becomes locally con- 
tractive. □ 

Recall that an initial dialgebra for G: C op x C — > C is an initial algebra of G 151-171]. 



Lemma 7.9. Let C be E-enriched and G: C op x C — > C be a locally contractive functor. 
If G(X, Y) = Y and G(Y, X) = X then the pair (X, Y) together with the isomorphisms 
constitute an initial dialgebra for G. In particular (X, Y) is unique up to isomorphism with 
this property. Moreover X = Y. 

Proof. If G is locally contractive, so is G. Thence Lemma 17.61 proves that (X, Y) is an 
initial dialgebra. To show X = Y note that the hypothesis of the lemma is symmetric in 
X and Y, so we may apply what we have just proved to conclude that (Y, X) is an initial 
dialgebra. By uniqueness of initial dialgebras (X, Y) = (Y,X). □ 

We can now give the promised proofs of the main theorem and proposition in this 
section. 

Proof of Theorem 17.51 Consider first the case of n = 0. Recall the functor [iF: C op — > C 
from Lemma [7. 81 mapping X to the unique fixed point of F(X, —). Define Z to be the unique 
fixed point of the functor X i-> F(jiF(X),X) and define W = y.F(Z). Then F(W,Z) = 
F(pF(Z),Z) = Z and F(Z,W) = F(Z,fiF(Z)) ^ y,F{Z) = W, and so Lemma ES2 applies 
giving the unique solution to F and proving that W = Z. 

In the general case of n ^ 0, Lemma 17.81 applies to give the functor FixF. O 

The statement and proof of Proposition 14.61 carries over verbatim from the case of S to 
the general case of £ a model of guarded recursive dependent types. 



8. A CLASS OF MODELS OF GUARDED RECURSION 

The aim of this section is to establish a large class of models of guarded recursive dependent 
types including our main example, the topos S. This involves showing existence of fixed 
points for locally contractive functors. The special case of S, together with the results of 
Section [71 prove Theorem 14.51 
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The class of models we consider are sheaves over a complete Heyting algebra with a 
well-founded basis. In this section we assume some familiarity with the basics of complete 
Heyting algebras and sheaves over such [27| . 

Definition 8.1. A partial order A is well-founded if there are no infinite descending se- 
quences ao > a\ > 0,2 > ■ ■ ■ 

Here a > a' means a > a' and a ^ a' as usual. Note that any forest is well-founded. 

Definition 8.2. Let A be a partial order and let K C A. Then K is a basis for A if each 
a £ A is a least upper bound of all the base elements below it, i.e. a = \J{k € K \ k < a}. 

Example 8.3. If K is a well-founded partial order then the ideal completion Idl(K) con- 
sisting of down-closed subsets of K is a complete Heyting algebra and the set {I k \ k S K}, 
where X k = {k 1 € K \ k! < k} is a well-founded basis. 

In the following we reserve a's and Vs for elements of A and A;'s for elements in K. A 
sieve B on a in A is just a downward closed subset of {b £ A \ b < a} and it is covering 
if V B = a. If A is a complete Heyting algebra then this defines a Grothendieck topology, 
and the corresponding category Sh(A) of sheaves is the full subcategory of presheaves X 
such that (X(\J B) — > X(b))b e B is a limiting cone for all BCA We recall the following 
well-known fact. 

Proposition 8.4. If A is a partial order then Sh(Idl(A)) ~ A. 

Proof The equivalence maps X in A to XB Aiuib^B X (b) (we shall write X for this sheaf) 
and Y in Sh{Idl{A)) to \a.Y{\ a). □ 

Collectively Proposition 18.41 and Example 18.31 state that the general class of models we 
consider include all toposes of the form A for A a well-founded partial order, in particular 
all slices of S. 

Theorem 8.5. Let A be a complete Heyting algebra with a well-founded base. Then Sh(A) 
is a model of guarded recursive dependent types. In particular S and indeed any topos of the 
form A for A a well-founded partial order is a model of guarded recursive dependent types. 

Di Gianantonio and Miculan pij] essentially prove that Sh{A) is a model of guarded 
recursive terms if A is the set of opens of a topological space with a well-founded basis; here 
we extend their results to guarded recursive types and, moreover, consider more general 
models (not necessarily arising from topological spaces). 

Theorem 8.6. Let A be a complete Heyting algebra with a well-founded basis and let C be 
a Sh(A)- enriched category. If C is complete (precisely, the externalisation of C is complete 
in the usual sense) then it is contractively complete. 

Note that the notion of completeness assumed for C above is the usual one (rather than 
the enriched notion of completeness). 

In the remainder of this section we prove Theorems 18.61 and 18.51 We start by showing 
that Sh{A) models guarded recursive terms. 
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8.1. Modelling recursive terms. Following [10| we give the following definition. 
Definition 8.7. Define the predecessor map p: A — >• A by 

p{a) = \J{k £K\k<a}. 

The predecessor map induces an endofuntor on the category of presheaves on A; follow- 
ing standard notation, we write p* : A — > A for this functor, defined by p*(X) = X o p. We 
define ► : Sh(A) — > Sh(A) by ► X = &(p*X), where a is the associated sheaf functor. Define 
next pre : X -> p*X by next p a re (x G X(a)) = x\ p(a) and define next = a(next pre ) : X -> ► X 
for all sheaves X. 

Note that 

next = n o next pre (8.1) 

where rj is the unit of the adjunction aHI, with I: Sh(A) — > A the inclusion of sheaves 
into presheaves. This can be seen by applying a to both sides of the equation since a fixes 
maps between sheaves and because a(r/) is the identity. 

Remark 8.8. The use of the associated sheaf functor a in the definition of ► is necessary, 
because p*X needs not be a sheaf. Consider, for example, the situation where A is the 
powerset of a 2-element set {a,b}. Then a sheaf is a presheaf X such that X(0) = 1 and 
X({a, b}) = X({a}) x X({b}). The map p is 

p(0) = p{{a}) = 

p({6}) = p({a,b}) = {a,b} 

So p*X({a, b}) = X({a, 6}), but p*X({a}) = p*X({b}) = 1, in particular p*X is in general 
not a sheaf. On the other hand ► X = 1. 

Lemma 8.9. T/ie functor ► preserves finite limits. 

We will now show that the above definition of ► generalises the definition of ► from 
Section [4.21 on slices of S, see Proposition 18.111 below. For that we first need a lemma: 

Lemma 8.10. Let A be a partial order. The composite 

IMA) A Sh(Idl(A)) A 
maps P to \b.P(]r b). In other words aP(| b) = P{\. b). 

Proof. Since a is left adjoint to the inclusion, the composite sought for is left adjoint to 
the functor P i— > P, and it is easy to check that the functor of the lemma satisfies this 
condition. □ 

Proposition 8.11. Let I be an object of S. The composite 

p * Sh(Idl(JI)) -1 Sh(Idl(JI)) ~ p 
which we shall also call ► agrees with ►/ as defined in Section \4.2\ 
Proof. We compute 

► P(n,») = ►Pd (n,i)) 

= (ap*P)d (n,i)) 
= (p*P)(| (n,*)) 
= P(p(4. (M)) 
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Now, it is easy to see that if n = 1 then pQ, (n,i)) = so that ► P(l,z) = P(0) = 1 and 
and otherwise 

P(p(i(n,i))) = P(l(n-l,i|„_i)) 
= P(n - l,i| n -i) 

which implies the result. □ 

Using the well-founded basis we can reason by well-founded induction over A as the 
following easy lemma shows. 

Lemma 8.12. Let 4>{a) be a predicate on A. If 

Va € A.(Vfc: K.k < a -»• 0(Jfe)) -> 0(a) 

t/ien 0(a) ZioWs /or aZ/ a m A. 

Proof. First use well-founded induction to conclude that 4>{k) holds for all k E K, then use 
the condition again to conclude that 0(a) holds for all a. □ 

We now aim to show that any morphism /: ► X — > X has a unique fixed point. 
Since the associated sheaf functor is left adjoint to the inclusion of sheaves into presheaves 
such morphisms correspond bijectively to morphisms of presheaves /: p*X — > X (where 
f = f or]), and we shall start by constructing fixed points of morphisms of the latter form. 

Lemma 8.13. Let X be a sheaf and let f: p*X — > X and a € A. Then there exists a 
unique family (xfc);,< a such that 

(1) x a |fe = Xfe for all b < a 

(2) fb(x pb ) = x b for allb < a 

Proof. The proof is by well-founded induction on a using Lemma 18.121 Thus suppose the 
lemma holds for all k < a, i.e., for any k < a there exists a unique family (xk t b)b<k satisfying 
the requirements. Note that by uniqueness, if b < k! < k then Xkfi = ^fe',6 ; so for any b < a 
we can define Xb to be the unique amalgamation of the family {xk,k)k<b- This gives us a 
compatible family {xb)b<a-> i-e-, xy = Xb\b> if V < b. To see that this family also satisfies ([2]), 
for all b < a, note that it suffices to show that fb(xpb)\k = x k, f° r & h k <b. But 

fb( x pb)\k = fk{x p k) 
= %k 

since the family {xk,b)b<k satisfied ([2]). 

It only remains to extend this family with a component x a . By the sheaf condition 
there is a unique y in X{p(a)) such that y\b = Xb- Define x a = f a (y)- We must check that 
the extended family (xb)b<a satisfies the conditions, and all that remains to prove is the 
case of b = a. 

For (HJ) we must show that x a \b = Xb for all b < a. 

Xa\b = fa{y)\b 

= fb(y\ P b) 

= fb(x p b) 
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For ([2]) we branch on whether a = pa or not (using classical reasoning) . If pa < a then 
U = x pa , and we are done. If a = pa then, by the sheaf condition, it suffices to prove that 
fa( x a)\b = x b for all b < a. But 

fa(x a )\b = fb((fa(y))\p(b)) 

= fb(fp(b)(y\p P (b))) 
= fb(fp(b)( x PP (b))) 

= fb(x p b) 
= x b 

For the proof of uniqueness, we must show that x a as defined above gives the unique 
extension of (xb)b<a satisfying the conditions. Again we branch on pa = a or pa < a. In 
the first case, ([!]) together with the sheaf condition gives uniqueness and in the second it is 
([2]) that gives uniqueness. □ 

Theorem 8.14. If A is a complete Heyting algebra with a well-founded basis then every 
slice of Sh{A) is a model of guarded recursive terms. 

Proof. By Theorem l6.3l it suffices to show that Sh(A) is a model of guarded recursive terms, 
and for this it remains to show that if / : ► X — > X, then there exists a unique fix(/) : 1 — > X 
such that / o next o fix(/) = fix(/) 

Consider first /or/: p*X —> X. The family (xb)b<\/ a given by Lemma 18.131 defines a 

map fix(/) : 1 — > X: the naturality condition needed to have a map in A is (P} and ([2]) 
states 

/ o n o next pre o fix(/) = fix(/) (8.2) 
which by (|8.1j) is equivalent to / o next o fix(/) = fix(/). In fact we see that to give a 
map fix(/) : 1 — > X satisfying the (|8.2h is the same as giving a family (xb)b<\/ a an d so the 
uniqueness statement of Lemma f8. 131 shows that fix(/) : 1 — > X is the unique such map. □ 



8.2. Recursive types in sheaf models. Having proved that Sh(A) models guarded re- 
cursive terms, we now show that it models guarded recursive dependent types. We first 
prove Theorem 18.61 and then show how Theorem 18.51 follows from it. So in the following, let 
C be a complete 57i(A)-enriched category. 

In the technical development it is simpler to work with presheaves and p* than it is 
to work with sheaves and ►, so we first reformulate the definition of local contractiveness 
in terms of p* . Note that we can define P *C in the same way as we defined ►C, using p* 
rather than ►. This gives us an ^4-enriched category rather than a S/i( j4)-enriched one. Any 
57i(^4)-enriched category is also A-enriched and so in particular, C and ►C are 74-enriched. 
There is a commutative diagram of A-enriched functors 

next pre 




and the following lemma tells us that we can proceed to work with p* and presheaves rather 
than ► and sheaves. 
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Lemma 8.15. An enriched functor F: C — > C is locally contractive iff there exist a A- 
enriched functor H : p *C — > C such that H o next pre = F . 

Proof. If F is locally contractive and G is a witness of this, we can construct H by precom- 
posing G with 77. On the other hand, given H as above we can construct G by applying a 
to each hom-action of H. □ 

Now suppose F : C — > C is locally contractive. We will construct a fixed point for F by 
a sufficiently large induction. To determine the height of the induction we start by assigning 
to each element a of A an ordinal by well-founded induction on a. We use ordinals (rather 
than just the elements of A) to get a linear diagram to take limits over when constructing 
the fixed point for F. 

Definition 8.16. Define for each a G A the ordinal Ord{a) = sup{Ord(k) + 1 | k < a A k £ 
K}. 

Lemma 8.17. Definition \8.16\ defines an order preserving map Ord(-): A — > Ord(\J A). 
Ifk<a and k G K then Ord(k) < Ord(a) . 

We shall use p: Ord(\J A) -» Ord(\J A) defined as p(a) = \J{/3 \ j3 < a). 

In the following we distinguish notationally between ordinals and elements of A by 
using Greek letters for the former and latin letters for the latter. 

Next we generalise the notion of n-isomorphism of Lemma f2.I5l Recall that a morphism 
/: X — > Y in C is the same as a morphism 1 — > Homc(X, Y) in Sh(A), which is the same 
as a family (f a )aeA with f a G Homc(X, Y) a such that f a \b = fb for all a and b < a. We say 
that f a is an isomorphism if there exists g a G Homc(X, Y) a such that comp a (f a , g a ) = id a 
and comp a (g a , f a ) = id a . In the following we shall simply write f a o g a for comp a (g a , f a ). 

Definition 8.18. Let /: X — > Y be a morphism in C, let a G A and let a be an ordinal. 
We say that / is an a-isomorphism if for all b < a the component is an isomorphism. 
We say that / is an a-isomorphism if it is a 6-isomorphism, for all b such that Ord(b) < a. 

Lemma 8.19. Let F: C — > C be locally contractive, and suppose f:X — > Y is a b- 
isomorphism for all b < a. Then Ff is an a-isomorphism. As a consequence, Ff is 
an a-isomorphism if f is a f3 -isomorphism, for all (3 < a, or, equivalently, if f is a p(a) 
isomorphism. 

Proof. Formulating the assumption of local contractiveness using the equivalent condition 
of Lemma 18. 151 we get maps Hx,y '■ p*Homc(^, Y) — > Homc(FX, FY) such that 

(Ff) b = H b {f p{b) ) 

The functoriality conditions on H are commutative diagrams in A. These amount to the 
following equations required to hold for each b in A 

Hb{fp{b) 9 P (b)) = H b {f p (b)) o H b (g p ^) (8.3) 
H b {id p(b) ) = id b (8.4) 

Now, suppose /: X — > Y is a 6-isomorphism, for all b < a. Define f~^ to be the unique 
amalgamation of (/ 6 _1 )6< a - Then f p { a )~ 1 is an inverse to / p(a) : to show f^ a) °fp{ a ) = id p ( a ) 
it suffices to show (f~^ o f p ^)\ b = id b for all b < a, which is clear since composition 
commutes with restriction. 
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So fb has an inverse f b ~ l for all b < p(a), in particular / p m has an inverse, for all b < a. 
Equations (18.31) and (18, 4h then say that Hb(fp/y\) is an inverse of F(f)b, for all b < a. 

For the last statement, suppose / is a /3-isomorphism for all /J < a, and suppose 
Ord{a) < a. We must show that Ff is an a-isomorphism. By what we have just proved, it 
suffices to show that / is a ^-isomorphism, for all b < a, and for this, by the sheaf property, 
it suffices to show that / is a /c-isomorphism, for all k < a, k € K. But this is true because 
Ord{k) < Ord{a) < a. □ 

Remark 8.20. The strengthening of the definition of locally contractive functor compared 
to the definition used in the conference version of this paper 0] was introduced in order to 
make Lemma l8.19l true. also with the weaker notion of a-isomorphism used here. Without 
the requirement of functoriality of H, equation (I8.3P only holds for families (fb)b<p(a), 
(gb)b<p(a) i n the image of next, i.e., families that extend to families (fb)b<a, (gb)b<a 

We construct, by well-founded induction, for every a < Ord(\J A) a C-object X a and 
maps 

4> a : F(X a ) — > X a and TT a ^ : X a —> Xp, for j3 < a 

by 



X a = lim F(Xp) 



and 



7T Qj/3 : lim F{X p ,) ^ ► F(Xp) ^ . X? 

p'<a 

<P a : F(hm F(Xp)) E^E^M F(lim(^)) lim F(X p ) 

Precisely, each a is an ordered set and so can be considered a category. We define X a as the 
limit of a diagram indexed over a mapping an inequality f3' < /3 < a to F{TTp pi) : F[Xp) — > 
F(Xpi). 

Theorem 8.21. Each ir a> p is a (3 -isomorphism and each <j) a is an a-isomorphism. In 
particular, 4> rd{\j A) ■ F(X 0rd{ y A) ) -> X 0rd( y A) is an isomorphism. 

Before we give the proof we record the following simple lemma. 

Lemma 8.22. Let a > (3 and let (Yp')p'<a be a diagram over a considered a category. The 
morphism lim j g/ <Q Ypi — > limp<p/ <a Ypi given by diagram inclusion is an isomorphism. 

Lemma 8.23. a < \/{7 I PI < «} 

Proof. Recall that for ordinals (3 < 7 is equivalent to /3 € 7, and so p(-y) = U/3e 7 P- For the 
lemma we must show that if x € a also x G U P7 g a 7> i- e -; there exists a 7 such that x € 7 
and ((J^/3) €a. Take 7 = {/? | /3 < x}. ""' □ 

Proof of Theorem I8.21L The theorem is proved by induction on a, but the induction 
hypothesis must be strengthened with the following two statements. 
(1) For all P < a, the projection 



7r« : lim Xri — > Xg 

H P'<a M ' 



is a /3-isomorphism. 
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(2) For all /3 < a. and all 7 such that pj < f3, the projection 

773: lim F(Xg,) -> F{Xg) 

p'<a 

is a 7-isomorphism. In particular, each 773 is a /3-isomorphism. 

We now give the induction steps of the inductive proof, proving each part of the induc- 
tion hypothesis in turn. 

For ([1]) note first that by Lemma [8.22l we may replace the limit h.mg/ <a Xg/ by ]img<g> <a Xg 
By the induction hypothesis, all morphisms of the form txqi g/> : Xgi — > Xgn for /3 < f3" < 
/3' < a are /3- isomorphisms. Therefore the limit limg<gi <a Xg> is a limit of a diagram of 
/3-isomorphisms. Since limits are computed pointwise, the projections are /3-isomorphisms. 

For ([2]) we reason similarly and conclude by Lemma 18.191 that each F(irg^g") is a 
7-isomorphism. So in this case the limit \\m.g<gi <a F(Xg>) is a limit of a diagram of 7- 
isomorphisms and each projection 773 is a 7-isomorphisms. 

Now consider the case of 7r Qj/ g = <pg o 773. By ([2]) above and the induction hypothesis, 
this is a /3-isomorphism. 

We will now show that <j) a is an a-isomorphism. Consider the following commutative 
diagram 

lim F(Xg>) hmi3><a t% lim(Xs') 

/3><a ' p'<a H 

F(X B ) ^ Xg 

Since ([I]) and ([2]) state that both projections 773 are /3-isomorphisms and by induction 
hypothesis (f>g is a /3-isomorphism, also limg'< Q (j)gi must be a /3-isomorphism. Since this 
holds for all /3 < a, by Lemma 18.191 also F(\\m.g <a (ftg) must be an a-isomorphism. 
Now, consider the diagram 

Fflim Xg,) — lim F(Xg,) 

/3'<a /3'<a ^ 



It only remains to show that the vertical map is an a-isomorphism. By induction hypothesis 
([2]) the maps F(ttr) and 773 are 7-isomorphisms for any 7 such that pj < /3. Since this holds 
for all /3, the vertical map is a V/{7 I P7 < a}-isomorphism, and we conclude by Lemma f8.23l 

□ 



Proof of Theorem l8.6l We must show that any locally contractive endofunctor F : C — > C 
has a fixed point, but Theorem 18.211 gives such a fixed point. □ 

For Theorem 18.51 it remains to show that any slice of Sh(A) is a model of guarded 
recursive types. We do that by reducing to Theorem 18.61 using the fact that slices of Sh(A) 
are all S , /i(A)-enriched. Indeed this holds for any locally cartesian closed category E , because 
one can take as homobject from px to py the object Y\i jYi X ' (using internal language 
notation as in Lemma 16. 7h . Since each slice £/I is also self-enriched, this gives us two 
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possible notions of local contractiveness. The next lemma states a relation between the 
two. 

Lemma 8.24. Let £ be a locally cartesian closed model of guarded recursive terms, and let 
F: £/I — > £/I be a functor. If F is locally contractive in the £ / I-enriched sense then it is 
also locally contractive in the £-enriched sense. 

Proof. The assumption gives an £ //-enrichment of F as a composite 

next G PxPY 
p Y FX *■ ►aPy J " pfy 

Lemma 16.71 then tells us that each Y\ i . rFx i Y i is contractive in the £ -enriched sense. To 
show that F is locally contractive in the £ -enriched sense one must check that the derived 
witness of contractiveness commutes with composition and identity, but this follows from 
naturality of the morphism ► 7 X* — > Yli- i ► Xi used in Lemma loTTl 

□ 

Proof of Theorem 18. 5L We have already shown (Theorem 18. 14[) that every slice of Sh(A) 
is a model of guarded recursive terms. It remains to show that any functor F: Sh(A)/I — >■ 
Sh(A)/I, which is locally contractive in the Sh(A) //-enriched sense, has a fixed point. 
Since Sh(A) is complete [27], Prop. III. 4. 4], its slices Sh(A)/I are also complete and thus 
the required follows from Theorem 18.61 and Lemma 18.241 □ 



9. Conclusion and Future Work 

We have shown that the topos of sheaves over a complete Heyting algebra with a well- 
founded basis, in particular S, the topos of trees, provides a model for an extension of higher- 
order logic over dependent type theory with guarded recursive types and terms. Moreover, 
we have argued that this logic provides the right setting for the synthetic construction 
of step-indexed models of programming languages and program logics, by constructing a 
model of the programming language F^^ef in the logic. 

In this paper we have focused solely on guarded recursion. As future work, it would be 
interesting to study further the connections between guarded and unguarded recursion in 
S. For example, it might be possible to show the existence of recursive types in which only 
negative occurrences of the recursion variable were guarded. 

We plan to make a tool for formalized reasoning in the internal logic of S. We have 
conducted some initial experiments by adding axioms to Coq and used it to formalize 
some of the proofs from [7|] involving recursively defined relations on recursively defined 
types. These experiments suggest that it will be important to have special support for the 
manipulation of the isomorphisms involved in recursive type equations, such as the coercions 
and canonical structures of [l^]. An alternative approach, inspired by the conference version 
of the present paper, has recently been proposed by Jaber et. al. who show how to 
internalize the construction of the topos of trees in Coq and thus model guarded recursive 
types. Future work includes investigating how easy or difficult it is in practice to develop 
and work with step-indexed models using that approach. 

Future work also includes studying further applications of guarded recursion in con- 
nection with step- indexed models. In particular, we plan to give a synthetic account of 
a recent step-indexed model by the first and third author for a language with countable 
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non-determinism [33]. That model uses step- indexing over u)\, the first uncountable ordi- 
nal, so would naturally live in sheaves over u±. Indeed, this was part of the motivation for 
generalizing the study of models of guarded recursion from S to general sheaf categories 
Sh(A). 

It could also be interesting to study predicative models of guarded recursive dependent 
type theory, thus extending the work of Moerdijk and Palmgren [28|, [2^] on "predicative 
toposes" . 
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cussions. This work was supported in part by grants from the Danish research council 
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Types: r ::= 1 | t\ x t 2 | | t\ + t 2 | [iol.t | Va.T | a \ t\ — >• t 2 | ref r 

Terms: t ::= x | Z | () | (ti,t 2 ) | fstt | snd £ | void i | inli | in r i 
| case to iCi.ii x 2 .i2 I fold i | unfold t 
I Aa.t \ t[r] \ Xx:t. \ t\ t 2 | fix /.Ax. t | ref t \ \t | t\ := t 2 

Typing rules: 

3 I T h x : r ( S h r > r ( x ) = T ) H I T h () : 1 ( H h F ) 

3 I r h h : ri 3 I T h t 2 : r 2 3 | T h t : , , 



3 I T h (ti, t 2 ) : ti X r 2 5 I T h void t : r 

3 I T h i : n X T2 3 I r h t : ri x T2 



3|ri-fstt:ri 3|rhsndt:r 2 
S|rht:Tl (3hr 2 ) - gjltlig (Eh 71) 



r h inl t : n + T2 3 I T h inrt : Ti + T2 

3 I T h f : n + r 2 3 | T, Xj : h tj : r (z = 1,2) 
3 I r h case to Xi.t\ x 2 .t 2 : T 

3 I r h t : T[fj,a.r/a] 3 | T h i : //a.r 



3 I T h fold t : /^a.r 3 | T h unfold t : r[fj,a.T/a] 

E,a\T\- t :t ,„ ^ . 5 | T h t : Va.r f - |- r ) 

I T h Aa.t : Va.r 3 | T h t [n] : r [ri/a] 

3 I T, x : r h t : n 3 | F h ti : r -> r' 3 | T h t 2 : r 



3 I T h Ax : t. : r -> ri 3 I T h ti t 2 : t' 

r,/ : t -»ti,x : r h t : n 3|Tht:r 



r h fix/.Ax.t : r ->ri 3 | T h ref i : ref r 

3|rht:refr E I T 1- i x : ref r 3 I T h i 2 : r 



3 I T h It : t 3 I rhti :=t 2 : 1 

Figure 1: Programming language 

Appendix A. More details on the application to step-indexing 

Here are some more details on the application in Section Everything is this appendix 
should be understood within the logic of S. 

A.l. Language. The full language considered in the application is shown in Figured) 
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A. 2. Interpretation of types. Recall that we have 

W = N -+ fin f 
T = W ^ mo „ P(Value) 
T c = W -> P(Term) 

and 

app : T — > T, lam : T — > T 

with app o lam = > : T — > T ■ 

Let TVar be the set of type variables, and for r G OType, let TEnv(r) = { ip G 
TVar — >fi n T | FV(t) C dom(y>) }. The interpretation of programming-language types is 
defined by induction, as a function 

[■]: [] TEnv(r)^T. 

reOType 

(ajip = tp(a) 

[l] ( p = Xw.{()} 
[0]<p = \w.Q 

[n x r 2 ]c ) 5 = Xw. { (vi, v 2 ) | vi G [ri]y(u;) Ad 2 G [r 2 ]</?(w) } 

[n + T2]</> = { inl y i I v i € [ri]99(iti) } U { inr v 2 \ v 2 G [r 2 ]^(if) } 

[ref rjv? = Xw. {I \ I G dom(u>) A Viui > w;. app(u>(/))(u>i) = [>([r](^)(tt>i) } 

[Va.r]9? = Aw. { Aa.i | W G T. Vu?i > w.t G comp(lT}ip[a i-> } 

[/Lta.r]^ = fix(Xu. Xw. { fold v [ >(t> G [r]y[a i/] (w)) }) 

[ti — » T2]</? = Xw. { Xx.t | Vt^i > w . \/v € [ti]</?(u;i). i[t> /x] G comp([r2]v?)(u;i) } 

Here the operations comp : T — > T c and states : VV — > "P(Store) are given by 

comp(v)(w) = { t | Vs G states{w). eval(t, s, X(v±, s±). 3wi > w. 

vi G f(iyi) A si £ states{w\)) } 

states (w) = {s | dom(s) = dom(u>) A 

V/ G dom(iy). s(l) G app(w(/))(w) } . 

A. 3. Soundness and the fundamental theorem. Given 3 and F such that F is well- 
formed in 3, and given 99 G T~, define 

[r]^(w) = {p : Value dom ( r )|V(^,r) G F.p{x) G [r^H}. 

Abbreviate [t] c </? = comp(\r\(p). 

Now we define semantic validity. The notation 

3 I r |= t : t 

means: For all w G W, all ip G T 5 , and all p G [r](^(u>), we have p(t) G [rf^-if). (Here 
p(t) is /? acting by substitution on t.) 

To show the fundamental theorem, we must show semantic counterparts of all the 
typing rules. First we need some "monadic" properties of the comp operator. For u G T 
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and £ G T c and uu G W, let z/ —o w £ be the set of closed evaluation contexts E that satisfy 
the following property: for all w\ > w and v G v{w{) we have E[v] G 

Lemma A.l. 

(1) If v G ^(w), i/ien u G comp{v)(w). 

(2) If t £ comp(i>i)(w) and E G — compiy-i), then E[t] G comp (1^2) (w). 

Proof. The first part follows immediately from the definitions of comp and eval. As for the 
second part, let t G comp(y{) (w) and E G v\ —o w comp(y<2) be given; we must show that 
E[t] G comp(u 2 )('w). We unfold the definition of comp. Let s G states (w) be given; we must 
show that eval (-£/[£], s, Q) where 

Q(v2,S2) = 3w 2 > w.v 2 G ^2(^2) A s 2 G states{w2)). 

By Proposition 13.21 it suffices to show 

eval(i, s, A(ui, si). eval(E[vi], s\, Q)). (A.l) 

Since t G comp(ui)(w) and s G states (w) we know that 

eval(i, s, A(«i, si). 3w\ > w. 

vi G v\ (wi) A si G states{w\)). 

We can therefore use Proposition 13. II to show (jA.ip : it suffices to show that 3wi > uu.v% G 
v\(w]) A si G states{w\)) implies eval(.E[ui], si, Q). So let u>i > it; be given and assume 
that v\ G vx(wi) and si G states{w\). Then, since E G v\ —° w comp(i>2), we have E[v\] G 
comp(i>2){wi) and hence 

eval si, A(w 2 , ^2)- 3^2 > 

^2 G V2{w2) A s 2 G states (W2)). 

Since u>i > u>, another use of Proposition 13. II gives eval(i£[t>i], s\,Q), which is what we had 
to show. □ 

Proof of Proposition \3Jj\ (fundamental theorem). We show four key cases. 

A.4. Case "allocation": If E | V \= t : r, then E \ T (= ref t : ref r. 

Let it; G W and (/? G 7~ = and p G [T]<p be given; we must show that p(refi) G 
[ref r] c (/?(u;). Since H | T \= t : r holds we know that p(t) G [r] c 99(it;). Therefore, by 
Lemma lA. 11 it suffices to show that ref - G [r]y — ° w [ref r] c 99. To that end, let w\ > uu and 
v G [r](/9(u;i) be given. We must show that ref v G [ref rj c ip(wi). 

Let s G states (wi) be given. By definition of comp we must show 

eval ( ref u, s, A(wi, si). 3w2 >w\.v\ G [ref r] 99(^2) A si G states{w2)). 

Let £ be the smallest location not in s. Then we have step((ref v, s), (I, s\)) where s% = 
s [Z ' — y . Therefore, by definition of eval and Proposition 12.71 it suffices to show 

3tt;2 > w\. I G [ref r]y»(i02) A s\ G states (w2)- 

(In fact, we are only required to show > applied to this formula, which is weaker by Propo- 
sition ET]^1).) To that end, we choose W2 = w\[l 1— > lam([r](^)]. It remains to show 

I G [ref T\ip(w 2 ) (A.2) 

s\ G states (iV2)- (A. 3) 
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As for (jA.2|) . we expand the definition of [ref r]. Clearly we have I G dom{w?) as 
required. Now let W3 > u>2 be given; Lemma 13.31 gives 

app0 2 (/))(u> 3 ) = app(lam([r]v?))(w 3 ) 

= >(It](p)(w 3 ) 

as required. 

As for (]A.3p . we first have that dom(si) = dom(u>2) since s G states (wi). Second, 
we must show that si(Z') G app(tL'2(/ / ))(' u; 2) for all Z' € dom(si). For I' = I we have 
app(u72(0)( u; 2) = l>([ r ] c / 3 )( w 2) as above. But s±(l) = v, and we know that v G [tJi^wi) 
where 

[t]<p(w!) C [t]^^) C >([rl^)(w; 2 ) 
by monotonicity and Proposition 12.7( 1). We conclude that si(l) G app(u>2(0)( tt, 2)- 

For I'^lwe have si(Z') = s(Z'). Since s G states (wi) we know that s(i') G app(ioi(i / ))(u;i). 

But 

app(w 1 (l'))(wi) = app(w 2 (l'))(wi) 
C app(i«2(/'))( w 2) 

by monotonicity. Therefore si(Z') G a,pp(w2(l'))(w2) , which completes the proof of (IA.3p . 

A. 5. Case "lookup": If 5 | T (= t : ref r then H | T [= !t : r. 

Let u; G W and 99 G T = and p G [T]y? be given; we must show that p(lt) G [r] c (^(u;). 
Since S | T |= i : ref r holds we know that pit) G [ref t] c </?(u>). Therefore, by Lemma |A.1| 
it suffices to show that !— G [t](/j —o w [ref rj c ip. This is essentially what was done in the 
proof sketch in the main text, but for completeness we repeat the argument here. 

Let u>i > w and v G [ref T\tp(w\) be given. We must show that \v G comp ( [r] ip) (w\ ) 
We unfold the definition of comp. Let s G states (wi) be given; we must show 

eval(\v,s, \(v2,S2).3w2 > W1.V2 £ It}ip(w2) A s 2 G states (u^)) • (A.4) 

By the assumption that u G [ref Tjip(wi), we know that v = I for some location I such that 
/ G dom(wi) and app(wi(l))(w2) = >([r]<^)(tt) 2 ) for all w 2 > W\. Since s G states(wi), 
we know that / G dom(s) = dom(wi) and s(i) G &pp(wi(l))(wi). We therefore have 
step((!«, s), (s(Z), s)). Hence, by unfolding the definition of eval in (|A.4j) and using the rules 
from Proposition 12.71 it remains to show that 

3u> 2 > w\. >(s(Z) G \t\lp{w 2 )) A >(s G states(u> 2 )). 

To that end, choose u>2 = w^i- First, s G states(wi) and hence >(s G states{w\)). Second, 

s(l) G app(wi(0)(«;i) = >([r]¥>)(u;i), 

which means exactly that >(s(l) G [r]</?(wi)). 
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A. 6. Case "assignment": If H | F \= t\ : ref r and E | T \= t 2 : r, then E | T |= ii := i 2 : 1- 
Here we must use Lemma lA. II twice. Let w; G W and ip G and p G [r]y? be given; 
we must show that 

P (h:=t 2 ) g ll]Ww). 

Since E | T \= t\ : ref r holds we know that p(ti) € [ref r] c <^(w). Therefore, by Lemma |A.1| 
it suffices to show that 

(-:=p(t 2 ))e[refr]^^ tt 
So let > w and i>i € [ref t}p(wi) be given; we must show that (i>i := p(t 2 )) G [l] c (£>(u)i). 
By assumption we have p(t 2 ) G [r] c (^(tt;i), so by Lemma fA. II again, it suffices to show that 

(vi := -) G [r]^ [1]V- 

Therefore, let u>2 > and i>2 G [r]^^) be given. The final proof obligation is to show 
that 

(vi :=v 2 ) G llfip(w 2 ). 
We unfold the definition of comp. Assume that s G states (11)2) is given; we must show 

eval((i>i :=v 2 ),s, \(v 3 , s 3 ).3w 3 > w 2 .v 3 G \l\p{w 3 ) A s 3 G states(w 3 )). 

By monotonicity we have v\ G [ref r] 99 (w 2 ), and therefore wi = I for some I G dom(w 2 ) 
such that 

app(w 2 (0)( u '3) = >(It}p)(w 3 ) for all u> 3 > w 2 . (A.5) 
Furthermore, since s G states(w 2 ) we know that dom(s) = dom(w;2) and hence that / G 
dom(s). Therefore step((t>i := v 2 , s), ((), s[l H> v 2 ])) holds. By definition of eval and 
Proposition 12. 7\ it then suffices to show 

3w 3 > w 2 . () G [l]v3(u>3) A s[l 1 y v 2 ] G states(w 3 ). 

We choose w 3 = w 2 . Now () G [1]<£>(w2) holds trivially, and it remains to show that 
s[l i-> ^2] G states (w 2 ). For I' / I we have 

-> «2])(0 = s(l') G app^Cl'))^) 

since s G states(w 2 )- Furthermore, 

(a [J h-> v 2 ])(l) =v 2 £ lr\<p(w 3 ), 

and therefore \>(v 2 G [t]</?(u>2)) by Proposition 12.7( 1). But this means exactly that v 2 G 
>(ItJ{p)(w 2 )- We conclude from (lA.5h that t>2 G app(w2(0)( w 2) as required. 

A. 7. Case "unfold": If E | T \= t : pa.r, then E | T \= unfold t : T[(pa.r)/a]. 

Abbreviate r\ = T[(pa.r) / a}. Let w G W and 99 G T = and p G [r]y? be given; we 
must show that p(unfoldt) G [ti] c i^(?x;). Since E | T \= t : pa.r holds we know that p(t) G 
l/ia.T} c ip(w). Therefore, by Lemma \A.1\ it suffices to show that unfold — G [/ua.rji^ — 
[ri] c (/3. To that end, let w\ > w and v G \pa.T\p(w\) be given. We must show that 
unfold i; G [tiJ'V^i). 

Let s G states (w\) be given. By definition of comp we must show 

eval(unfold v, s, X(v\, s\). 3w 2 > w\.vi G [tiJi^^) A si G states(w 2 )). (A. 6) 

By definition of [//a.r] we know that v = fold vq for some Vo such that [>(i>o G 
[r](/?[a h-> [/xa.r]</?](t(;i)) holds. By Proposition 12.71 and a substitution lemma (shown by 
an easy induction on types), this means that >(^o G [ri]</?(wi)) holds. 
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Since v = fold vq we have step((unfold v, s), (vq, s)). Therefore, by unfolding the defini- 
tion of eval in (|A.6|) and using Proposition 12.71 it suffices to show 

3u>2 > w\. >{vq G [tiJ^u^)) A >(s G states (w2))- 

We choose W2 = W\. We have already shown that >{vq G [rij(^(tyi)) holds, and Proposi- 
tion 12.7( 1) gives that s G states{w\) implies o(s G states (wi)), as required. □ 

As an immediate corollary of the fundamental theorem we get a type-safety result for 
the "temporal" semantics given by the eval predicate. This is formulated by means of a 
trivial post-condition. 

Corollary A. 2 (Type safety). Assume that h t : r holds. Then eval(i, Si n it, T) holds where 
Sinit is the empty store. 

Proof. Follows directly from the fundamental theorem (using the empty world G W) and 
Proposition 13.11 □ 
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